Jump to content

Requesting assistance with XP Antivirus removal


phoppe
 Share

Recommended Posts

Hello and thanks in advance. My kids' computer running Windows XP recently got infected with the "XP Antivirus" program. McAfee real-time scanning did not catch it, so I downloaded, ran, and installed Malwarebytes. The scan removed the infection temporarily. I purchased the full program and enabled real-time protection. However, one of the Windows user profiles (the one that was the source of the infection) again became infected. Short cuts (even those on the Windows programs memu) lead to an "Open with" window, which, if I choose the appropriate program (such as firefox.exe), leads to a "security warning" dialog box about using the program (such as firefox.exe). Closing the window allows the browser to load with no apparent problems.

Below are the Malaware logs (several) and protection logs; and the GMER log. Thanks for your assistance.

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5867

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2/24/2011 8:41:48 AM

mbam-log-2011-02-24 (08-41-48).txt

Scan type: Full scan (C:\|)

Objects scanned: 248670

Time elapsed: 1 hour(s), 5 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 2

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\g043oqxanu (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched (Trojan.FakeAlert) -> Value: SunJavaUpdateSched -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\tcnlntbe (Trojan.FakeAlert.Gen) -> Value: tcnlntbe -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\program files\common files\Java\java update\jusched.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\documents and settings\all users\start menu\Programs\Startup\new text document.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\documents and settings\lucas hoppenjans\local settings\application data\bcf.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5867

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2/25/2011 12:18:55 AM

mbam-log-2011-02-25 (00-18-55).txt

Scan type: Quick scan

Objects scanned: 181052

Time elapsed: 9 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5874

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2/25/2011 6:56:41 AM

mbam-log-2011-02-25 (06-56-41).txt

Scan type: Flash scan

Objects scanned: 127866

Time elapsed: 1 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5874

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2/25/2011 8:01:23 AM

mbam-log-2011-02-25 (08-01-23).txt

Scan type: Full scan (C:\|)

Objects scanned: 247958

Time elapsed: 1 hour(s), 4 minute(s), 25 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

PROTECTION LOGS:

2-24-11

08:50:29 Hoppenjans Admin MESSAGE Protection started successfully

08:50:38 Hoppenjans Admin MESSAGE IP Protection started successfully

2-25-11

00:08:19 Hoppenjans Admin MESSAGE Protection started successfully

00:08:30 Hoppenjans Admin MESSAGE IP Protection started successfully

06:49:18 Lucas Hoppenjans MESSAGE Scheduled update executed successfully

06:54:40 Hoppenjans Admin MESSAGE Protection started successfully

06:54:48 Hoppenjans Admin MESSAGE IP Protection started successfully

06:54:49 Hoppenjans Admin MESSAGE IP Protection stopped

06:54:55 Hoppenjans Admin MESSAGE Database updated successfully

06:55:02 Hoppenjans Admin MESSAGE IP Protection started successfully

08:24:49 Hoppenjans Admin MESSAGE Protection started successfully

08:24:59 Hoppenjans Admin MESSAGE IP Protection started successfully

11:48:26 Hoppenjans Admin IP-BLOCK 212.95.55.76 (Type: outgoing)

11:48:29 Hoppenjans Admin IP-BLOCK 212.95.55.76 (Type: outgoing)

11:48:35 Hoppenjans Admin IP-BLOCK 212.95.55.76 (Type: outgoing)

2-26-11

06:20:39 Hoppenjans Admin MESSAGE Scheduled update executed successfully

06:20:39 Hoppenjans Admin MESSAGE IP Protection stopped

06:21:09 Hoppenjans Admin MESSAGE Database updated successfully

06:21:19 Hoppenjans Admin MESSAGE IP Protection started successfully

09:11:46 Hoppenjans Admin IP-BLOCK 174.36.243.14 (Type: outgoing)

DDS (Ver_10-12-12.02) - NTFSx86

Run by Hoppenjans Admin at 8:30:12.98 on Fri 02/25/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3006.2170 [GMT -5:00]

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: Norton Internet Worm Protection *Disabled*

FW: McAfee Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\Hoppenjans Admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070721

uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us

uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us

uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070721

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101107085258.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No File

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"

mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

dRunOnce: [RunNarrator] Narrator.exe

StartupFolder: c:\docume~1\hoppen~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxps://support.dell.com/systemprofiler/SysPro.CAB

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188070646546

DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: GoToAssist - c:\program files\citrix\gotoassist\480\G2AWinLogon.dll

AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hoppen~1\applic~1\mozilla\firefox\profiles\helee9iz.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=

FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/?.home=ytff

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - plugin: c:\documents and settings\lucas hoppenjans\application data\move networks\plugins\npqmp071705000014.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-8-4 386840]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-8-4 84072]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-2-24 363344]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-5-3 203280]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-4 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-4 271480]

R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-4 271480]

R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-4 171168]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-4 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-4 141792]

R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-7-21 1247600]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-4 55840]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-2-24 20952]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-8-4 152960]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-8-4 52104]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-4 313288]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-8-4 88544]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-28 135664]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-8-4 88544]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-4 84264]

=============== Created Last 30 ================

2011-02-24 12:33:55 -------- d-----w- c:\docume~1\hoppen~1\applic~1\Malwarebytes

2011-02-24 12:33:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-02-24 12:33:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-02-24 12:33:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-02-24 12:33:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-05 01:20:34 -------- d-----w- c:\program files\iPod

2011-02-05 01:20:29 -------- d-----w- c:\program files\iTunes

==================== Find3M ====================

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll

2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-12-20 23:59:19 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec

2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll

2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll

2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

============= FINISH: 8:31:53.21 ===============

GMER 1.0.15.15530 - http://www.gmer.net

Rootkit scan 2011-02-26 02:39:53

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\0000006c ST380815AS rev.3.ADA

Running: 9sen6lhd.exe; Driver: C:\DOCUME~1\HOPPEN~1\LOCALS~1\Temp\pwldypod.sys

---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9E8B0E0]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9E8B0F4]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9E8B120]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9E8B176]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9E8B0CC]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9E8B0A4]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9E8B0B8]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9E8B10A]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9E8B14C]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9E8B136]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9E8B1A0]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9E8B18C]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9E8B160]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP B9E8B164 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB92C2360, 0x2456AE, 0xE8000020]

? C:\DOCUME~1\HOPPEN~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[420] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A1000A

.text C:\WINDOWS\system32\svchost.exe[420] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A10FEF

.text C:\WINDOWS\system32\svchost.exe[420] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A1001B

.text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A0000A

.text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A00F8D

.text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A00082

.text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A00065

.text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A00FA8

.text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A00FCD

.text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A00F4D

.text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A00F68

.text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A00F06

.text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A00F21

.text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A00EF5

.text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A0004A

.text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A00025

.text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A00093

.text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A00FDE

.text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A00FEF

.text C:\WINDOWS\system32\svchost.exe[420] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A00F3C

.text C:\WINDOWS\system32\svchost.exe[420] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CF0FB9

.text C:\WINDOWS\system32\svchost.exe[420] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CF005E

.text C:\WINDOWS\system32\svchost.exe[420] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CF0FCA

.text C:\WINDOWS\system32\svchost.exe[420] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CF0FE5

.text C:\WINDOWS\system32\svchost.exe[420] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CF0F97

.text C:\WINDOWS\system32\svchost.exe[420] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CF0000

.text C:\WINDOWS\system32\svchost.exe[420] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00CF0039

.text C:\WINDOWS\system32\svchost.exe[420] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CF0FA8

.text C:\WINDOWS\system32\svchost.exe[420] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CE0FB2

.text C:\WINDOWS\system32\svchost.exe[420] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CE003D

.text C:\WINDOWS\system32\svchost.exe[420] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CE0011

.text C:\WINDOWS\system32\svchost.exe[420] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CE0000

.text C:\WINDOWS\system32\svchost.exe[420] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CE0022

.text C:\WINDOWS\system32\svchost.exe[420] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CE0FD7

.text C:\WINDOWS\system32\svchost.exe[420] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00A2000A

.text C:\WINDOWS\system32\svchost.exe[420] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00A20FE5

.text C:\WINDOWS\system32\svchost.exe[420] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00A2001B

.text C:\WINDOWS\system32\svchost.exe[420] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00A20FD4

.text C:\WINDOWS\system32\svchost.exe[420] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A30FEF

.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[732] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)

.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[732] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)

.text C:\WINDOWS\system32\svchost.exe[984] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00CF0000

.text C:\WINDOWS\system32\svchost.exe[984] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00CF002F

.text C:\WINDOWS\system32\svchost.exe[984] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CF0FEF

.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CE0FEF

.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CE0042

.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CE0F4D

.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CE0025

.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CE0014

.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CE0F8D

.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CE0F15

.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CE005D

.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CE0F04

.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CE0093

.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CE00C2

.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CE0F72

.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CE0FDE

.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CE0F32

.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CE0FA8

.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CE0FB9

.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CE0082

.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D10FCA

.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D10F83

.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D1001B

.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D1000A

.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D1004A

.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D10FE5

.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D10F9E

.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F1, 88]

.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D10FB9

.text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D00051

.text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D00036

.text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D00FC6

.text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D00000

.text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D0001B

.text C:\WINDOWS\system32\svchost.exe[984] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D00FE3

.text C:\WINDOWS\Explorer.EXE[1068] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00D00FEF

.text C:\WINDOWS\Explorer.EXE[1068] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D00FB9

.text C:\WINDOWS\Explorer.EXE[1068] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D00FD4

.text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CF0FEF

.text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CF0F52

.text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CF0051

.text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CF0F83

.text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CF0F94

.text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CF0025

.text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CF007F

.text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CF006E

.text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CF0F12

.text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CF00AB

.text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CF00C6

.text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CF0036

.text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CF0FD4

.text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CF0F41

.text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CF0014

.text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CF0FC3

.text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CF009A

.text C:\WINDOWS\Explorer.EXE[1068] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D60FAF

.text C:\WINDOWS\Explorer.EXE[1068] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D60F8A

.text C:\WINDOWS\Explorer.EXE[1068] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D60FCA

.text C:\WINDOWS\Explorer.EXE[1068] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D60000

.text C:\WINDOWS\Explorer.EXE[1068] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D60047

.text C:\WINDOWS\Explorer.EXE[1068] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D60FEF

.text C:\WINDOWS\Explorer.EXE[1068] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D60036

.text C:\WINDOWS\Explorer.EXE[1068] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D6001B

.text C:\WINDOWS\Explorer.EXE[1068] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D40F7A

.text C:\WINDOWS\Explorer.EXE[1068] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D40F8B

.text C:\WINDOWS\Explorer.EXE[1068] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D40FB7

.text C:\WINDOWS\Explorer.EXE[1068] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D40FEF

.text C:\WINDOWS\Explorer.EXE[1068] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D40FA6

.text C:\WINDOWS\Explorer.EXE[1068] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D40FD2

.text C:\WINDOWS\Explorer.EXE[1068] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00D10FEF

.text C:\WINDOWS\Explorer.EXE[1068] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00D10FDE

.text C:\WINDOWS\Explorer.EXE[1068] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00D10FCD

.text C:\WINDOWS\Explorer.EXE[1068] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00D10014

.text C:\WINDOWS\Explorer.EXE[1068] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D30FEF

.text C:\WINDOWS\system32\services.exe[1332] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00940000

.text C:\WINDOWS\system32\services.exe[1332] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00940FC0

.text C:\WINDOWS\system32\services.exe[1332] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00940FDB

.text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C00000

.text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C00F87

.text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C0007C

.text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C0006B

.text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C00FA2

.text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C00033

.text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C00F45

.text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C00F62

.text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C00F08

.text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C00F19

.text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C000BC

.text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C00044

.text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C00011

.text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C0008D

.text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C00022

.text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C00FDB

.text C:\WINDOWS\system32\services.exe[1332] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C00F2A

.text C:\WINDOWS\system32\services.exe[1332] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0097002C

.text C:\WINDOWS\system32\services.exe[1332] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00970FAF

.text C:\WINDOWS\system32\services.exe[1332] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0097001B

.text C:\WINDOWS\system32\services.exe[1332] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0097000A

.text C:\WINDOWS\system32\services.exe[1332] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0097006C

.text C:\WINDOWS\system32\services.exe[1332] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00970FE5

.text C:\WINDOWS\system32\services.exe[1332] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00970FCA

.text C:\WINDOWS\system32\services.exe[1332] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [b7, 88] {MOV BH, 0x88}

.text C:\WINDOWS\system32\services.exe[1332] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00970047

.text C:\WINDOWS\system32\services.exe[1332] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00960042

.text C:\WINDOWS\system32\services.exe[1332] msvcrt.dll!system 77C293C7 5 Bytes JMP 00960027

.text C:\WINDOWS\system32\services.exe[1332] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00960FC1

.text C:\WINDOWS\system32\services.exe[1332] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00960FEF

.text C:\WINDOWS\system32\services.exe[1332] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00960016

.text C:\WINDOWS\system32\services.exe[1332] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00960FD2

.text C:\WINDOWS\system32\services.exe[1332] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0095000A

.text C:\WINDOWS\system32\lsass.exe[1344] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BA0FEF

.text C:\WINDOWS\system32\lsass.exe[1344] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BA0FCD

.text C:\WINDOWS\system32\lsass.exe[1344] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BA0FDE

.text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0FEF

.text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0089

.text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0F94

.text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE0062

.text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0051

.text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE001B

.text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE0F66

.text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0F77

.text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE00F5

.text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE00E4

.text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE0110

.text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0040

.text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0FD4

.text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE00A4

.text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0FAF

.text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE000A

.text C:\WINDOWS\system32\lsass.exe[1344] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE00D3

.text C:\WINDOWS\system32\lsass.exe[1344] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD0036

.text C:\WINDOWS\system32\lsass.exe[1344] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BD0F94

.text C:\WINDOWS\system32\lsass.exe[1344] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BD001B

.text C:\WINDOWS\system32\lsass.exe[1344] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BD000A

.text C:\WINDOWS\system32\lsass.exe[1344] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BD0FA5

.text C:\WINDOWS\system32\lsass.exe[1344] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BD0FE5

.text C:\WINDOWS\system32\lsass.exe[1344] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BD0FC0

.text C:\WINDOWS\system32\lsass.exe[1344] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DD, 88]

.text C:\WINDOWS\system32\lsass.exe[1344] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BD0051

.text C:\WINDOWS\system32\lsass.exe[1344] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BC0036

.text C:\WINDOWS\system32\lsass.exe[1344] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BC0FA1

.text C:\WINDOWS\system32\lsass.exe[1344] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BC0FC6

.text C:\WINDOWS\system32\lsass.exe[1344] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BC0FE3

.text C:\WINDOWS\system32\lsass.exe[1344] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BC0011

.text C:\WINDOWS\system32\lsass.exe[1344] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BC0000

.text C:\WINDOWS\system32\lsass.exe[1344] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BB0FE5

.text C:\WINDOWS\system32\svchost.exe[1532] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 024E0FEF

.text C:\WINDOWS\system32\svchost.exe[1532] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 024E0FCD

.text C:\WINDOWS\system32\svchost.exe[1532] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 024E0FDE

.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02520FEF

.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02520F57

.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0252004C

.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02520F72

.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0252002F

.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02520F8D

.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02520F2B

.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02520F3C

.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02520F06

.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0252009F

.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 025200BA

.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02520014

.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02520FD4

.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02520067

.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02520F9E

.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02520FB9

.text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0252008E

.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02510FB9

.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02510054

.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02510FCA

.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0251000A

.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02510039

.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02510FEF

.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02510F8D

.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [71, 8A] {JNO 0xffffffffffffff8c}

.text C:\WINDOWS\system32\svchost.exe[1532] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02510F9E

.text C:\WINDOWS\system32\svchost.exe[1532] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02500FB2

.text C:\WINDOWS\system32\svchost.exe[1532] msvcrt.dll!system 77C293C7 5 Bytes JMP 0250003D

.text C:\WINDOWS\system32\svchost.exe[1532] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02500FD7

.text C:\WINDOWS\system32\svchost.exe[1532] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02500000

.text C:\WINDOWS\system32\svchost.exe[1532] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0250002C

.text C:\WINDOWS\system32\svchost.exe[1532] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02500011

.text C:\WINDOWS\system32\svchost.exe[1532] WS2_32.dll!socket 71AB4211 5 Bytes JMP 024F0FEF

.text C:\WINDOWS\system32\svchost.exe[1580] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B50FEF

.text C:\WINDOWS\system32\svchost.exe[1580] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B5001E

.text C:\WINDOWS\system32\svchost.exe[1580] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B50FDE

.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B40FEF

.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B40F6E

.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B40059

.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B40F7F

.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B40F90

.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B40028

.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B40F3D

.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B40085

.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B40F07

.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B400A0

.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B40EF6

.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B40FA1

.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B40FDE

.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B40074

.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B40FB2

.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B40FCD

.text C:\WINDOWS\system32\svchost.exe[1580] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B40F22

.text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D10040

.text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D10FB9

.text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D10025

.text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D10014

.text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D10076

.text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D10FEF

.text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D10FD4

.text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F1, 88]

.text C:\WINDOWS\system32\svchost.exe[1580] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D1005B

.text C:\WINDOWS\system32\svchost.exe[1580] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B70FAF

.text C:\WINDOWS\system32\svchost.exe[1580] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B7003A

.text C:\WINDOWS\system32\svchost.exe[1580] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B70018

.text C:\WINDOWS\system32\svchost.exe[1580] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B70FEF

.text C:\WINDOWS\system32\svchost.exe[1580] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B70029

.text C:\WINDOWS\system32\svchost.exe[1580] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B70FDE

.text C:\WINDOWS\system32\svchost.exe[1580] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B60000

.text C:\WINDOWS\System32\svchost.exe[1624] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02CD0FEF

.text C:\WINDOWS\System32\svchost.exe[1624] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02CD000A

.text C:\WINDOWS\System32\svchost.exe[1624] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02CD0FD4

.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02CC0FEF

.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02CC0F55

.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02CC004A

.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02CC0F7C

.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02CC0F8D

.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02CC0FB9

.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02CC0076

.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02CC0F2E

.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02CC0F13

.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02CC00AC

.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02CC00C7

.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02CC0F9E

.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02CC000A

.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02CC0065

.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02CC0FCA

.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02CC0025

.text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02CC0087

.text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0ABB0FD4

.text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0ABB0F9E

.text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0ABB0025

.text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0ABB000A

.text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0ABB005B

.text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0ABB0FEF

.text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0ABB0040

.text C:\WINDOWS\System32\svchost.exe[1624] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0ABB0FB9

.text C:\WINDOWS\System32\svchost.exe[1624] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0ABA002A

.text C:\WINDOWS\System32\svchost.exe[1624] msvcrt.dll!system 77C293C7 5 Bytes JMP 0ABA0F95

.text C:\WINDOWS\System32\svchost.exe[1624] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0ABA0FC1

.text C:\WINDOWS\System32\svchost.exe[1624] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0ABA0FE3

.text C:\WINDOWS\System32\svchost.exe[1624] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0ABA0FA6

.text C:\WINDOWS\System32\svchost.exe[1624] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0ABA0FD2

.text C:\WINDOWS\System32\svchost.exe[1624] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0AB90FEF

.text C:\WINDOWS\System32\svchost.exe[1624] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0AB8000A

.text C:\WINDOWS\System32\svchost.exe[1624] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0AB8001B

.text C:\WINDOWS\System32\svchost.exe[1624] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0AB80FEF

.text C:\WINDOWS\System32\svchost.exe[1624] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 0AB80036

.text C:\WINDOWS\system32\svchost.exe[1776] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 008D0000

.text C:\WINDOWS\system32\svchost.exe[1776] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 008D002F

.text C:\WINDOWS\system32\svchost.exe[1776] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 008D0FEF

.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 008C0000

.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008C009A

.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008C007F

.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008C0FA5

.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 008C0062

.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 008C002C

.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008C0F5C

.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008C0F6D

.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008C00DA

.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008C00BF

.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008C0F26

.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 008C0051

.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008C0FDB

.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008C0F8A

.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 008C0011

.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 008C0FCA

.text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008C0F41

.text C:\WINDOWS\system32\svchost.exe[1776] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00900FDB

.text C:\WINDOWS\system32\svchost.exe[1776] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00900062

.text C:\WINDOWS\system32\svchost.exe[1776] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00900036

.text C:\WINDOWS\system32\svchost.exe[1776] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00900025

.text C:\WINDOWS\system32\svchost.exe[1776] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00900FAF

.text C:\WINDOWS\system32\svchost.exe[1776] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00900000

.text C:\WINDOWS\system32\svchost.exe[1776] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00900FC0

.text C:\WINDOWS\system32\svchost.exe[1776] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [b0, 88] {MOV AL, 0x88}

.text C:\WINDOWS\system32\svchost.exe[1776] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00900047

.text C:\WINDOWS\system32\svchost.exe[1776] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008F0025

.text C:\WINDOWS\system32\svchost.exe[1776] msvcrt.dll!system 77C293C7 5 Bytes JMP 008F0F9A

.text C:\WINDOWS\system32\svchost.exe[1776] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008F0FC6

.text C:\WINDOWS\system32\svchost.exe[1776] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008F0000

.text C:\WINDOWS\system32\svchost.exe[1776] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008F0FAB

.text C:\WINDOWS\system32\svchost.exe[1776] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008F0FD7

.text C:\WINDOWS\system32\svchost.exe[1776] WS2_32.dll!socket 71AB4211 5 Bytes JMP 008E000A

.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00D7000A

.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D7002F

.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D70FEF

.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D60000

.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D60F9C

.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D60091

.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D60076

.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D60FB9

.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D60FCA

.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D600C4

.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D600B3

.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D600E6

.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D60F57

.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D60101

.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D60051

.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D60FEF

.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D600A2

.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D60040

.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D60025

.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D600D5

.text C:\WINDOWS\system32\svchost.exe[1804] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DA0FE5

.text C:\WINDOWS\system32\svchost.exe[1804] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DA006C

.text C:\WINDOWS\system32\svchost.exe[1804] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DA0036

.text C:\WINDOWS\system32\svchost.exe[1804] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DA001B

.text C:\WINDOWS\system32\svchost.exe[1804] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DA0FAF

.text C:\WINDOWS\system32\svchost.exe[1804] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DA0000

.text C:\WINDOWS\system32\svchost.exe[1804] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00DA0FCA

.text C:\WINDOWS\system32\svchost.exe[1804] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [FA, 88]

.text C:\WINDOWS\system32\svchost.exe[1804] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DA005B

.text C:\WINDOWS\system32\svchost.exe[1804] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D9007A

.text C:\WINDOWS\system32\svchost.exe[1804] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D9005F

.text C:\WINDOWS\system32\svchost.exe[1804] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D90033

.text C:\WINDOWS\system32\svchost.exe[1804] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D90FEF

.text C:\WINDOWS\system32\svchost.exe[1804] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D9004E

.text C:\WINDOWS\system32\svchost.exe[1804] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D90018

.text C:\WINDOWS\system32\svchost.exe[1804] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D80FEF

.text C:\Program Files\Mozilla Firefox\firefox.exe[2208] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

.text C:\WINDOWS\System32\svchost.exe[3804] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 003D0FEF

.text C:\WINDOWS\System32\svchost.exe[3804] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 003D001B

.text C:\WINDOWS\System32\svchost.exe[3804] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 003D000A

.text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 003C0FE5

.text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 003C003D

.text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 003C002C

.text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 003C0F5E

.text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 003C0F79

.text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 003C0F9E

.text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 003C0EFF

.text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 003C0F1C

.text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 003C0076

.text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 003C0EDD

.text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 003C0EC2

.text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 003C001B

.text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 003C0000

.text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 003C0F2D

.text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 003C0FB9

.text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 003C0FCA

.text C:\WINDOWS\System32\svchost.exe[3804] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 003C0EEE

.text C:\WINDOWS\System32\svchost.exe[3804] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00760036

.text C:\WINDOWS\System32\svchost.exe[3804] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00760065

.text C:\WINDOWS\System32\svchost.exe[3804] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00760025

.text C:\WINDOWS\System32\svchost.exe[3804] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0076000A

.text C:\WINDOWS\System32\svchost.exe[3804] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00760FA8

.text C:\WINDOWS\System32\svchost.exe[3804] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00760FEF

.text C:\WINDOWS\System32\svchost.exe[3804] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00760FB9

.text C:\WINDOWS\System32\svchost.exe[3804] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [96, 88]

.text C:\WINDOWS\System32\svchost.exe[3804] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00760FD4

.text C:\WINDOWS\System32\svchost.exe[3804] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00750FB9

.text C:\WINDOWS\System32\svchost.exe[3804] msvcrt.dll!system 77C293C7 5 Bytes JMP 00750044

.text C:\WINDOWS\System32\svchost.exe[3804] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00750FE5

.text C:\WINDOWS\System32\svchost.exe[3804] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0075000C

.text C:\WINDOWS\System32\svchost.exe[3804] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00750FD4

.text C:\WINDOWS\System32\svchost.exe[3804] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00750029

.text C:\WINDOWS\System32\svchost.exe[3804] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AC0FEF

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device Fs_Rec.SYS (File System Recognizer Driver/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Hello phoppe! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.
  • Post all of your log files, don't attach them.

What about Attach.txt ?

Link to post
Share on other sites

Thanks! :)

Step 1

I see you are running Teatimer.

I suggest you to disable it because it can interfere with the changes you'll make on your system.

When everything is done and your log is clean again, you can enable it again.

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer <== click me for instructions.

After you disabled Teatimer, download ResetTeaTimer.exe to your desktop.

Then run ResetTeaTimer.exe.

This will only take a few seconds.

Step 2

  • Launch Malwarebytes' Anti-Malware
  • Go to Update" tab and select Check for Updates.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

In your next reply, please post the following logs:

  1. Malwarebytes' Anti-Malware log
  2. a new fresh DDS log only

Link to post
Share on other sites

OK, the new MBAM log and DDS log are below. Also, please note that the computer will now boot up properly...after logging in to the user account and after I get the systray message that an wireless internet connection has been established, the computer completely freezes. I had to reboot in Safe Mode in order to run MBAM and DDS.

Also, in disabling TeaTimer, I unchecked the TeaTimer and SD Helper boxes and they both seemed to "take," however I never got to the "allow change" dialog box. I did reboot after unchecking the boxes, however.

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5892

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

2/27/2011 8:11:27 AM

mbam-log-2011-02-27 (08-11-27).txt

Scan type: Quick scan

Objects scanned: 180152

Time elapsed: 4 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS (Ver_10-12-12.02) - NTFSx86 NETWORK

Run by Hoppenjans Admin at 8:14:45.23 on Sun 02/27/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3006.2540 [GMT -5:00]

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: Norton Internet Worm Protection *Disabled*

FW: McAfee Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Documents and Settings\Hoppenjans Admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070721

uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us

uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us

uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070721

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101107085258.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No File

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"

mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

dRunOnce: [RunNarrator] Narrator.exe

StartupFolder: c:\docume~1\hoppen~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxps://support.dell.com/systemprofiler/SysPro.CAB

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188070646546

DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: GoToAssist - c:\program files\citrix\gotoassist\480\G2AWinLogon.dll

AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hoppen~1\applic~1\mozilla\firefox\profiles\helee9iz.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=

FF - prefs.js: browser.search.selectedEngine - Amazon.com

FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/?.home=ytff

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - plugin: c:\documents and settings\lucas hoppenjans\application data\move networks\plugins\npqmp071705000014.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-8-4 386840]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-8-4 84072]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-4 271480]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-4 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-4 141792]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-4 313288]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-8-4 88544]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-28 135664]

S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-2-24 363344]

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-5-3 203280]

S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-4 271480]

S2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-4 271480]

S2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-4 171168]

S2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-7-21 1247600]

S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-4 55840]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-2-24 20952]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-8-4 152960]

S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-8-4 52104]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-8-4 88544]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-4 84264]

=============== Created Last 30 ================

2011-02-24 12:33:55 -------- d-----w- c:\docume~1\hoppen~1\applic~1\Malwarebytes

2011-02-24 12:33:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-02-24 12:33:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-02-24 12:33:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-02-24 12:33:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-05 01:20:34 -------- d-----w- c:\program files\iPod

2011-02-05 01:20:29 -------- d-----w- c:\program files\iTunes

==================== Find3M ====================

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll

2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-12-20 23:59:19 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec

2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll

2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll

2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

============= FINISH: 8:15:21.39 ===============

Link to post
Share on other sites

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here[-/url] or to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Sorry. Here you go.

ComboFix 11-02-27.01 - Hoppenjans Admin 02/27/2011 19:37:34.1.2 - x86 NETWORK

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3006.2625 [GMT -5:00]

Running from: c:\documents and settings\Hoppenjans Admin\Desktop\Combo-Fix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Hoppenjans Admin\GoToAssistDownloadHelper.exe

c:\windows\system32\_000003_.tmp.dll

c:\windows\system32\_000006_.tmp.dll

c:\windows\system32\_000007_.tmp.dll

c:\windows\system32\_000008_.tmp.dll

c:\windows\system32\SET33D.tmp

.

((((((((((((((((((((((((( Files Created from 2011-01-28 to 2011-02-28 )))))))))))))))))))))))))))))))

.

2011-02-25 23:34 . 2011-02-25 23:34 -------- d-----w- c:\documents and settings\Kathleen Hoppenjans\Local Settings\Application Data\Apple

2011-02-24 12:33 . 2011-02-24 12:33 -------- d-----w- c:\documents and settings\Hoppenjans Admin\Application Data\Malwarebytes

2011-02-24 12:33 . 2011-02-24 12:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-02-24 12:33 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-02-24 12:33 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-02-24 12:33 . 2011-02-24 12:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-05 01:20 . 2011-02-05 01:20 -------- d-----w- c:\program files\iPod

2011-02-05 01:20 . 2011-02-05 01:21 -------- d-----w- c:\program files\iTunes

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-01-21 14:44 . 2004-08-10 17:51 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09 . 2004-08-10 17:50 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10 . 2004-08-10 17:51 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34 . 2004-08-10 17:51 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 23:59 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll

2010-12-20 23:59 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-12-20 23:59 . 2004-08-10 17:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-12-20 17:26 . 2004-08-10 17:51 730112 ----a-w- c:\windows\system32\lsasrv.dll

2010-12-20 12:55 . 2004-08-10 17:51 385024 ----a-w- c:\windows\system32\html.iec

2010-12-09 15:15 . 2004-08-10 17:51 718336 ----a-w- c:\windows\system32\ntdll.dll

2010-12-09 14:30 . 2004-08-10 17:50 33280 ----a-w- c:\windows\system32\csrsrv.dll

2010-12-09 13:42 . 2004-08-10 17:51 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-12-09 13:07 . 2004-08-04 03:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-10-14 03:28 . 2010-08-04 20:13 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-31 68856]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]

"nwiz"="nwiz.exe" [2006-08-23 1617920]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]

"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 282624]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-21 169984]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-06 185896]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\Lucas Hoppenjans\Start Menu\Programs\Startup\

OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\Hoppenjans Admin\Start Menu\Programs\Startup\

OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2007-11-06 12:27 10792 ----a-w- c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [8/4/2010 3:13 PM 84072]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [8/4/2010 3:12 PM 271480]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [8/4/2010 3:13 PM 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [8/4/2010 3:13 PM 141792]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [8/4/2010 3:13 PM 313288]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [8/4/2010 3:13 PM 88544]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 7:15 PM 135664]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/24/2011 7:33 AM 363344]

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [5/3/2010 5:42 AM 203280]

S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [8/4/2010 3:12 PM 271480]

S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [8/4/2010 3:13 PM 55840]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/24/2011 7:33 AM 20952]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [8/4/2010 3:13 PM 88544]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [8/4/2010 3:13 PM 84264]

.

Contents of the 'Scheduled Tasks' folder

2011-02-25 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2011-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 00:15]

2011-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 00:15]

2011-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1901776298-3590923216-799600055-1007Core.job

- c:\documents and settings\Lucas Hoppenjans\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-29 16:35]

2011-02-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1901776298-3590923216-799600055-1007UA.job

- c:\documents and settings\Lucas Hoppenjans\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-29 16:35]

.

.

------- Supplementary Scan -------

.

uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070721

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - ProfilePath - c:\documents and settings\Hoppenjans Admin\Application Data\Mozilla\Firefox\Profiles\helee9iz.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=

FF - prefs.js: browser.search.selectedEngine - Amazon.com

FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/?.home=ytff

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-02-27 19:40

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1188)

c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll

.

Completion time: 2011-02-27 19:42:05

ComboFix-quarantined-files.txt 2011-02-28 00:42

Pre-Run: 57,116,016,640 bytes free

Post-Run: 57,752,002,560 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - BA13F3A8E044FF5C0F5EBA3767A136C7

Link to post
Share on other sites

Also, I checked the original profile that first exhibited the infection. When loading a browser (Firefox or IE), I still get an "open with" dialog box and although the browser will eventually load, I get a dialog box that references a file called something like jlsnotify.exe. That profile doesn't lock up like the one I have been using to try these various fixes has locked up.

Additionally, the wireless internet connection seems to cut in and out, like something is trying to disable it and then it get re-enabled...continuously.

Link to post
Share on other sites

I ran them all as "Hoppenjans Administrator." This is the one that I had to run while in Safe Mode, because it locks up...although it isn't the original profile that got infected and that led me to purchase the Malwarbytes software...that one was the "Lucas" profile. I didn't know it mattered which profile, because it appears that the machine itself is infected.

Do you recommend that I simply go to a system restore point earlier than the infection occurred? Perhaps that and the enabled software could prevent re-infection?

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.