Jump to content

Recommended Posts

I just got the XP Anti virus 2011 on my computer.

I was unable to access an internet browser on that computer, so there may be more things wrong. I used a flash drive to download the programs I was told to and run them on the infected computer.

1-Malwarebytes did not run. It was not running.

2-I have McAfee, I ran a full scan and it found nothing

3-I ran defogger.

4-I ran DDS. Log is below

5-I ran GMER. Log is below

I am also worried about using the flash drive to bounce between computers. Do I need to worry about the computer that I am currently working on (it does not appear to be infected - Malwarebytes is working)

Thanks for your help!

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Melissa at 22:01:12.23 on Fri 05/06/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.439 [GMT -4:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

C:\Program Files\McAfee Online Backup\MOBKbackup.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Program Files\Elantech\ETDCtrl.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\EeePC\ACPI\AsEPCMon.exe

C:\Documents and Settings\Melissa\Desktop\dds(1).scr

C:\Program Files\Elantech\ETDDect.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe

C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe

C:\WINDOWS\system32\igfxext.exe

C:\Documents and Settings\Melissa\Local Settings\Application Data\ocj.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\WINDOWS\System32\vssvc.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\EeePC\ACPI\AsTray.exe

.

============== Pseudo HJT Report ===============

.

uInternet Settings,ProxyOverride = *.local

mURLSearchHooks: H - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101104230526.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll

BHO: 1 (0x1) - No File

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [ETDWare] c:\program files\elantech\ETDCtrl.exe

mRun: [ETDWareDetect] c:\program files\elantech\ETDDect.exe

mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe

mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe

mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\melissa\applic~1\mozilla\firefox\profiles\8ry03z6f.default\

FF - prefs.js: browser.search.selectedEngine - Secure Search

FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll

FF - plugin: c:\documents and settings\melissa\application data\mozilla\firefox\profiles\8ry03z6f.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll

FF - plugin: c:\documents and settings\melissa\local settings\application data\yahoo!\browserplus\2.9.2\plugins\npybrowserplus_2.9.2.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor

FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

.

============= SERVICES / DRIVERS ===============

.

.

=============== Created Last 30 ================

.

2011-05-07 00:24:00 234678 --sha-w- c:\docume~1\melissa\locals~1\applic~1\ocj.exe

2011-04-27 20:39:52 -------- d-----w- c:\windows\system32\NtmsData

2011-04-27 15:44:33 -------- d-----w- c:\docume~1\melissa\applic~1\Malwarebytes

2011-04-27 15:44:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-04-27 15:44:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-04-27 14:38:07 98816 ----a-w- c:\windows\sed.exe

2011-04-27 14:38:07 89088 ----a-w- c:\windows\MBR.exe

2011-04-27 14:38:07 256512 ----a-w- c:\windows\PEV.exe

2011-04-27 14:38:07 161792 ----a-w- c:\windows\SWREG.exe

2011-04-24 04:05:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

2011-04-13 22:40:10 4284416 ----a-w- c:\windows\system32\GPhotos.scr

.

==================== Find3M ====================

.

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll

2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-02-22 23:06:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec

2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll

2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll

2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll

2008-05-07 08:34:00 15523560 ----a-w- c:\program files\U1 Setup.exe

.

============= FINISH: 22:05:13.31 ===============

GMER Log:

GMER 1.0.15.15627 - http://www.gmer.net

Rootkit scan 2011-05-06 23:47:20

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST9160310AS rev.0303

Running: 43rn8kur.exe; Driver: C:\DOCUME~1\Melissa\LOCALS~1\Temp\uxldqpog.sys

---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF73B50E0]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF73B50F4]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF73B5120]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF73B5176]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF73B50CC]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF73B50A4]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF73B50B8]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF73B510A]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF73B514C]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF73B5136]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF73B51A0]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF73B518C]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF73B5160]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\Melissa\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[556] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 05DF000A

.text C:\WINDOWS\Explorer.EXE[556] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 05DF002F

.text C:\WINDOWS\Explorer.EXE[556] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 05DF0FEF

.text C:\WINDOWS\Explorer.EXE[556] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 05DE000A

.text C:\WINDOWS\Explorer.EXE[556] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 05DE0F7A

.text C:\WINDOWS\Explorer.EXE[556] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 05DE006F

.text C:\WINDOWS\Explorer.EXE[556] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 05DE0F97

.text C:\WINDOWS\Explorer.EXE[556] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 05DE0FA8

.text C:\WINDOWS\Explorer.EXE[556] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 05DE0040

.text C:\WINDOWS\Explorer.EXE[556] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 05DE00CC

.text C:\WINDOWS\Explorer.EXE[556] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 05DE00B1

.text C:\WINDOWS\Explorer.EXE[556] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 05DE0F3D

.text C:\WINDOWS\Explorer.EXE[556] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 05DE0F58

.text C:\WINDOWS\Explorer.EXE[556] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 05DE00F1

.text C:\WINDOWS\Explorer.EXE[556] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 05DE0FC3

.text C:\WINDOWS\Explorer.EXE[556] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 05DE0FE5

.text C:\WINDOWS\Explorer.EXE[556] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 05DE0094

.text C:\WINDOWS\Explorer.EXE[556] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 05DE002F

.text C:\WINDOWS\Explorer.EXE[556] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 05DE0FD4

.text C:\WINDOWS\Explorer.EXE[556] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 05DE0F69

.text C:\WINDOWS\Explorer.EXE[556] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 05DD0FDB

.text C:\WINDOWS\Explorer.EXE[556] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 05DD0FA8

.text C:\WINDOWS\Explorer.EXE[556] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 05DD002C

.text C:\WINDOWS\Explorer.EXE[556] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 05DD001B

.text C:\WINDOWS\Explorer.EXE[556] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 05DD0FB9

.text C:\WINDOWS\Explorer.EXE[556] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 05DD0000

.text C:\WINDOWS\Explorer.EXE[556] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 05DD0FCA

.text C:\WINDOWS\Explorer.EXE[556] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [FD, 8D]

.text C:\WINDOWS\Explorer.EXE[556] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 05DD0047

.text C:\WINDOWS\Explorer.EXE[556] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 05DC0F81

.text C:\WINDOWS\Explorer.EXE[556] msvcrt.dll!system 77C293C7 5 Bytes JMP 05DC0F92

.text C:\WINDOWS\Explorer.EXE[556] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 05DC0FC8

.text C:\WINDOWS\Explorer.EXE[556] msvcrt.dll!_open 77C2F566 5 Bytes JMP 05DC0FEF

.text C:\WINDOWS\Explorer.EXE[556] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 05DC0FB7

.text C:\WINDOWS\Explorer.EXE[556] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 05DC000C

.text C:\WINDOWS\Explorer.EXE[556] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 04F50FEF

.text C:\WINDOWS\Explorer.EXE[556] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 04F5000A

.text C:\WINDOWS\Explorer.EXE[556] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 04F5001B

.text C:\WINDOWS\Explorer.EXE[556] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 04F5002C

.text C:\WINDOWS\Explorer.EXE[556] WS2_32.dll!socket 71AB4211 5 Bytes JMP 05DB0FE5

.text C:\WINDOWS\system32\svchost.exe[964] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C4000A

.text C:\WINDOWS\system32\svchost.exe[964] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C40FEF

.text C:\WINDOWS\system32\svchost.exe[964] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C4001B

.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C30FE5

.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C3004A

.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C30F55

.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C3002F

.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C30F72

.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C30F9E

.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C30F1F

.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C30F30

.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C30EF3

.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C3008C

.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C300B1

.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C30F8D

.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C30000

.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C3005B

.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C30FAF

.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C30FCA

.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C30F0E

.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C20FB9

.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C20051

.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C20FCA

.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C20FDB

.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C20036

.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C20000

.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C20F94

.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E2, 88] {LOOP 0xffffffffffffff8a}

.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C2001B

.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C10047

.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C10036

.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C10FC6

.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C10FE3

.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C1001B

.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C10000

.text C:\WINDOWS\system32\svchost.exe[964] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00BF0000

.text C:\WINDOWS\system32\svchost.exe[964] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00BF001B

.text C:\WINDOWS\system32\svchost.exe[964] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00BF0FE5

.text C:\WINDOWS\system32\svchost.exe[964] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00BF0FC0

.text C:\WINDOWS\system32\svchost.exe[964] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C00000

.text C:\WINDOWS\system32\services.exe[1232] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00050000

.text C:\WINDOWS\system32\services.exe[1232] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00050022

.text C:\WINDOWS\system32\services.exe[1232] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00050011

.text C:\WINDOWS\system32\services.exe[1232] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00040FEF

.text C:\WINDOWS\system32\services.exe[1232] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0004009D

.text C:\WINDOWS\system32\services.exe[1232] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00040082

.text C:\WINDOWS\system32\services.exe[1232] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00040065

.text C:\WINDOWS\system32\services.exe[1232] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00040054

.text C:\WINDOWS\system32\services.exe[1232] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0004002F

.text C:\WINDOWS\system32\services.exe[1232] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00040F72

.text C:\WINDOWS\system32\services.exe[1232] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00040F83

.text C:\WINDOWS\system32\services.exe[1232] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00040F3C

.text C:\WINDOWS\system32\services.exe[1232] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00040F4D

.text C:\WINDOWS\system32\services.exe[1232] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00040F2B

.text C:\WINDOWS\system32\services.exe[1232] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00040FA8

.text C:\WINDOWS\system32\services.exe[1232] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00040FD4

.text C:\WINDOWS\system32\services.exe[1232] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 000400AE

.text C:\WINDOWS\system32\services.exe[1232] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0004001E

.text C:\WINDOWS\system32\services.exe[1232] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00040FC3

.text C:\WINDOWS\system32\services.exe[1232] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 000400D5

.text C:\WINDOWS\system32\services.exe[1232] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0076002C

.text C:\WINDOWS\system32\services.exe[1232] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00760051

.text C:\WINDOWS\system32\services.exe[1232] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0076001B

.text C:\WINDOWS\system32\services.exe[1232] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00760FE5

.text C:\WINDOWS\system32\services.exe[1232] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00760F8A

.text C:\WINDOWS\system32\services.exe[1232] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00760000

.text C:\WINDOWS\system32\services.exe[1232] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00760FAF

.text C:\WINDOWS\system32\services.exe[1232] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [96, 88]

.text C:\WINDOWS\system32\services.exe[1232] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00760FC0

.text C:\WINDOWS\system32\services.exe[1232] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00070FAF

.text C:\WINDOWS\system32\services.exe[1232] msvcrt.dll!system 77C293C7 5 Bytes JMP 00070044

.text C:\WINDOWS\system32\services.exe[1232] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00070FEF

.text C:\WINDOWS\system32\services.exe[1232] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00070000

.text C:\WINDOWS\system32\services.exe[1232] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00070FD4

.text C:\WINDOWS\system32\services.exe[1232] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00070029

.text C:\WINDOWS\system32\services.exe[1232] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0006000A

.text C:\WINDOWS\system32\lsass.exe[1244] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C00000

.text C:\WINDOWS\system32\lsass.exe[1244] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C00036

.text C:\WINDOWS\system32\lsass.exe[1244] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C00025

.text C:\WINDOWS\system32\lsass.exe[1244] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB0FEF

.text C:\WINDOWS\system32\lsass.exe[1244] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB006C

.text C:\WINDOWS\system32\lsass.exe[1244] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB0F77

.text C:\WINDOWS\system32\lsass.exe[1244] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB0F92

.text C:\WINDOWS\system32\lsass.exe[1244] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB005B

.text C:\WINDOWS\system32\lsass.exe[1244] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB0FC0

.text C:\WINDOWS\system32\lsass.exe[1244] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB0F4B

.text C:\WINDOWS\system32\lsass.exe[1244] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB0F5C

.text C:\WINDOWS\system32\lsass.exe[1244] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB0F30

.text C:\WINDOWS\system32\lsass.exe[1244] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB00BF

.text C:\WINDOWS\system32\lsass.exe[1244] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB0F15

.text C:\WINDOWS\system32\lsass.exe[1244] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB0FAF

.text C:\WINDOWS\system32\lsass.exe[1244] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB0000

.text C:\WINDOWS\system32\lsass.exe[1244] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB0087

.text C:\WINDOWS\system32\lsass.exe[1244] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB002C

.text C:\WINDOWS\system32\lsass.exe[1244] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB0011

.text C:\WINDOWS\system32\lsass.exe[1244] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB00AE

.text C:\WINDOWS\system32\lsass.exe[1244] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C3002F

.text C:\WINDOWS\system32\lsass.exe[1244] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C30040

.text C:\WINDOWS\system32\lsass.exe[1244] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C30FDE

.text C:\WINDOWS\system32\lsass.exe[1244] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C30FEF

.text C:\WINDOWS\system32\lsass.exe[1244] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C30F83

.text C:\WINDOWS\system32\lsass.exe[1244] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C3000A

.text C:\WINDOWS\system32\lsass.exe[1244] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C30F9E

.text C:\WINDOWS\system32\lsass.exe[1244] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E3, 88] {JECXZ 0xffffffffffffff8a}

.text C:\WINDOWS\system32\lsass.exe[1244] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C30FC3

.text C:\WINDOWS\system32\lsass.exe[1244] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C2002E

.text C:\WINDOWS\system32\lsass.exe[1244] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C20FAD

.text C:\WINDOWS\system32\lsass.exe[1244] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C2001D

.text C:\WINDOWS\system32\lsass.exe[1244] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C20000

.text C:\WINDOWS\system32\lsass.exe[1244] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C20FC8

.text C:\WINDOWS\system32\lsass.exe[1244] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C20FE3

.text C:\WINDOWS\system32\lsass.exe[1244] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C10000

.text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C3000A

.text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C30FDE

.text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C30FEF

.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C20FE5

.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C20F99

.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C2008E

.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C20073

.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C20062

.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C20040

.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C20F68

.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C200B0

.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C200F0

.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C200D5

.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C20F3C

.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C20051

.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C20FD4

.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C2009F

.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C20025

.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C20014

.text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C20F57

.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C10FCA

.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C10036

.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C10011

.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C10FDB

.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C10F83

.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C10000

.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C10F9E

.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E1, 88] {LOOPZ 0xffffffffffffff8a}

.text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C10FAF

.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C00F75

.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C00F90

.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C00FB5

.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C00FEF

.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C0000A

.text C:\WINDOWS\system32\svchost.exe[1352] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C00FC6

.text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00FF0FEF

.text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FF001B

.text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FF0000

.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FE0000

.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FE0F94

.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FE0089

.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FE0062

.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FE0FAF

.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FE0047

.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FE00C6

.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FE00B5

.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FE0F41

.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FE0F52

.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FE0F1C

.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FE0FC0

.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FE001B

.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FE00A4

.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FE0036

.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FE0FE5

.text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FE0F63

.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02430FA8

.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02430F61

.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02430FC3

.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02430FD4

.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02430F7C

.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02430FEF

.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02430F8D

.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [63, 8A]

.text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0243001E

.text C:\WINDOWS\system32\svchost.exe[1420] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02420F92

.text C:\WINDOWS\system32\svchost.exe[1420] msvcrt.dll!system 77C293C7 5 Bytes JMP 02420027

.text C:\WINDOWS\system32\svchost.exe[1420] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02420FD2

.text C:\WINDOWS\system32\svchost.exe[1420] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02420FEF

.text C:\WINDOWS\system32\svchost.exe[1420] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02420FC1

.text C:\WINDOWS\system32\svchost.exe[1420] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02420000

.text C:\WINDOWS\system32\svchost.exe[1420] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02410FEF

.text C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C70FEF

.text C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C70025

.text C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C7000A

.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C60000

.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C6009D

.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C60FA8

.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C60080

.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C60FC3

.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C60FD4

.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C600CE

.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C60F86

.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C60104

.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C60F61

.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C60F50

.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C60065

.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C6001B

.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C60F97

.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C60FE5

.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C60040

.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C600E9

.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CA0036

.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CA0FAF

.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CA0025

.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CA000A

.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CA0076

.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CA0FEF

.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00CA005B

.text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CA0FD4

.text C:\WINDOWS\system32\svchost.exe[1468] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C90F9C

.text C:\WINDOWS\system32\svchost.exe[1468] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C90031

.text C:\WINDOWS\system32\svchost.exe[1468] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C90FD2

.text C:\WINDOWS\system32\svchost.exe[1468] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C9000C

.text C:\WINDOWS\system32\svchost.exe[1468] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C90FB7

.text C:\WINDOWS\system32\svchost.exe[1468] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C90FEF

.text C:\WINDOWS\system32\svchost.exe[1468] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C80000

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00850FEF

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0085001B

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00850000

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00840000

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00840F91

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00840090

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00840FB6

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00840073

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00840047

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008400BC

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00840F80

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00840F3E

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008400E1

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00840F23

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00840058

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0084001B

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008400A1

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00840FDB

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0084002C

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00840F59

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00820053

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] msvcrt.dll!system 77C293C7 5 Bytes JMP 00820042

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00820FD2

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00820FE3

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00820027

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0082000C

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00830040

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00830F9E

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0083002F

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00830FEF

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00830FB9

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0083000A

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00830FCA

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A3, 88]

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0083005B

.text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1556] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00810FEF

.text C:\WINDOWS\System32\svchost.exe[1612] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01770FE5

.text C:\WINDOWS\System32\svchost.exe[1612] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0177001B

.text C:\WINDOWS\System32\svchost.exe[1612] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01770000

.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01630000

.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01630082

.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01630071

.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01630F97

.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0163004A

.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01630039

.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 016300BA

.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01630F68

.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01630F2B

.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01630F3C

.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 016300D5

.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01630FB2

.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01630FEF

.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01630093

.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01630FCD

.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01630FDE

.text C:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01630F4D

.text C:\WINDOWS\System32\svchost.exe[1612] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0162002C

.text C:\WINDOWS\System32\svchost.exe[1612] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01620F9B

.text C:\WINDOWS\System32\svchost.exe[1612] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01620FDB

.text C:\WINDOWS\System32\svchost.exe[1612] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01620011

.text C:\WINDOWS\System32\svchost.exe[1612] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01620FB6

.text C:\WINDOWS\System32\svchost.exe[1612] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01620000

.text C:\WINDOWS\System32\svchost.exe[1612] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01620058

.text C:\WINDOWS\System32\svchost.exe[1612] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01620047

.text C:\WINDOWS\System32\svchost.exe[1612] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01B30050

.text C:\WINDOWS\System32\svchost.exe[1612] msvcrt.dll!system 77C293C7 5 Bytes JMP 01B3003F

.text C:\WINDOWS\System32\svchost.exe[1612] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01B30FE3

.text C:\WINDOWS\System32\svchost.exe[1612] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01B3000C

.text C:\WINDOWS\System32\svchost.exe[1612] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01B3002E

.text C:\WINDOWS\System32\svchost.exe[1612] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01B3001D

.text C:\WINDOWS\System32\svchost.exe[1612] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01B20FEF

.text C:\WINDOWS\System32\svchost.exe[1612] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01B10FEF

.text C:\WINDOWS\System32\svchost.exe[1612] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01B10FD4

.text C:\WINDOWS\System32\svchost.exe[1612] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01B10FC3

.text C:\WINDOWS\System32\svchost.exe[1612] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 01B10FA8

.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1668] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)

.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1668] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)

.text C:\WINDOWS\system32\svchost.exe[1680] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A00000

.text C:\WINDOWS\system32\svchost.exe[1680] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A00FE5

.text C:\WINDOWS\system32\svchost.exe[1680] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A0001B

.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009F000A

.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009F00B5

.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009F00A4

.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009F0093

.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009F0076

.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009F0040

.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009F00F7

.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009F00DA

.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009F013E

.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009F012D

.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009F0F94

.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009F005B

.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009F001B

.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009F0FAF

.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009F0FD4

.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009F0FEF

.text C:\WINDOWS\system32\svchost.exe[1680] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009F0112

.text C:\WINDOWS\system32\svchost.exe[1680] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009E0014

.text C:\WINDOWS\system32\svchost.exe[1680] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009E004D

.text C:\WINDOWS\system32\svchost.exe[1680] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009E0FC3

.text C:\WINDOWS\system32\svchost.exe[1680] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009E0FD4

.text C:\WINDOWS\system32\svchost.exe[1680] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009E0F86

.text C:\WINDOWS\system32\svchost.exe[1680] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009E0FEF

.text C:\WINDOWS\system32\svchost.exe[1680] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009E0FA1

.text C:\WINDOWS\system32\svchost.exe[1680] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [bE, 88]

.text C:\WINDOWS\system32\svchost.exe[1680] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009E0FB2

.text C:\WINDOWS\system32\svchost.exe[1680] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0F92

.text C:\WINDOWS\system32\svchost.exe[1680] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0FAD

.text C:\WINDOWS\system32\svchost.exe[1680] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE0FD9

.text C:\WINDOWS\system32\svchost.exe[1680] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0000

.text C:\WINDOWS\system32\svchost.exe[1680] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0FBE

.text C:\WINDOWS\system32\svchost.exe[1680] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE001D

.text C:\WINDOWS\system32\svchost.exe[1680] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A10000

.text C:\WINDOWS\system32\svchost.exe[1820] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C10000

.text C:\WINDOWS\system32\svchost.exe[1820] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C10022

.text C:\WINDOWS\system32\svchost.exe[1820] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C10011

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C00FEF

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C00F6D

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C00062

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C00F94

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C00051

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C00036

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C00090

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C00F48

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C00F2D

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C000C6

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C00F12

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C00FAF

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C0000A

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C00073

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C00FD4

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C00025

.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C000AB

.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF0040

.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF0094

.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF0FEF

.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF001B

.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF0079

.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF0000

.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BF0FCD

.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DF, 88]

.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF0FDE

.text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C30047

.text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C30036

.text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C30FC6

.text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C30FE3

.text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C30025

.text C:\WINDOWS\system32\svchost.exe[1820] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C30000

.text C:\WINDOWS\system32\svchost.exe[1820] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C2000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

AttachedDevice \FileSystem\Ntfs \Ntfs MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)

---- EOF - GMER 1.0.15 ----

ark.7z

Attach.7z

Link to post
Share on other sites

I downloaded combofix, but when I double clicked on it it opened up the window that asked which program I want to use to open this file:

I then have the usual choices. I could not find which program I should use to open ComboFix.

Thanks for your help!

Link to post
Share on other sites

More Info:

This afternoon I tried to run ComboFix again and it started, but I had to choose ComboFix as the program to run it in. I hope that this is ok. I then got a popup box that said to choose the file to open iexplore.exe in. I know that ComboFix can be dangerous to the system, and I don't know what to select for this.

Please Advise!

Thanks!

Link to post
Share on other sites

Well ignore the previous 2 posts. I got combofix to work. Here is the combofix log followed by the dds log.

Please let me know what the next step is.

I greatly appreciate all of the assistance. Thank you!

omboFix 11-05-09.01 - Melissa 05/09/2011 16:05:14.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.604 [GMT -4:00]

Running from: c:\documents and settings\Melissa\Desktop\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\t0m8ctog368483w04675vl7l06dw6i5r6krf

c:\documents and settings\Melissa\Local Settings\Application Data\t0m8ctog368483w04675vl7l06dw6i5r6krf

c:\documents and settings\Melissa\Templates\t0m8ctog368483w04675vl7l06dw6i5r6krf

.

.

((((((((((((((((((((((((( Files Created from 2011-04-09 to 2011-05-09 )))))))))))))))))))))))))))))))

.

.

2011-04-27 20:39 . 2011-04-27 20:40 -------- d-----w- c:\windows\system32\NtmsData

2011-04-27 15:44 . 2011-04-27 15:44 -------- d-----w- c:\documents and settings\Melissa\Application Data\Malwarebytes

2011-04-27 15:44 . 2011-04-27 15:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-04-27 15:44 . 2011-04-28 16:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-04-26 21:23 . 2011-04-26 21:25 -------- d-----w- c:\documents and settings\Administrator

2011-04-24 04:07 . 2011-04-27 15:42 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2011-04-24 04:05 . 2011-04-27 15:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2011-04-13 22:40 . 2011-04-13 22:40 4284416 ----a-w- c:\windows\system32\GPhotos.scr

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-07 05:33 . 2008-12-05 00:09 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37 . 2008-12-04 22:56 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21 . 2008-12-04 22:56 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-22 23:06 . 2008-12-04 22:56 916480 ----a-w- c:\windows\system32\wininet.dll

2011-02-22 23:06 . 2008-12-04 22:55 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-02-22 23:06 . 2008-12-04 22:55 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-02-22 11:41 . 2008-12-04 22:55 385024 ----a-w- c:\windows\system32\html.iec

2011-02-17 13:18 . 2008-12-04 22:55 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-02-17 13:18 . 2008-12-04 22:56 357888 ----a-w- c:\windows\system32\drivers\srv.sys

2011-02-17 12:32 . 2009-12-04 00:58 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-15 12:56 . 2008-12-04 22:55 290432 ----a-w- c:\windows\system32\atmfd.dll

2011-02-09 13:53 . 2008-12-04 22:56 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2008-12-04 22:55 186880 ----a-w- c:\windows\system32\encdec.dll

2008-05-07 08:34 . 2008-12-05 00:41 15523560 ----a-w- c:\program files\U1 Setup.exe

2010-10-14 02:28 . 2010-05-19 02:18 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]

@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"

[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]

2010-01-24 22:10 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]

@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"

[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]

2010-01-24 22:10 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]

@="{b4caf489-1eec-c617-49ad-8d7088598c06}"

[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]

2010-01-24 22:10 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2008-09-18 16855040]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]

"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2008-09-03 335872]

"ETDWareDetect"="c:\program files\Elantech\ETDDect.exe" [2008-08-22 204800]

"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2008-09-17 106496]

"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2008-09-16 593920]

"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2008-05-21 94208]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SuperHybridEngine.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SuperHybridEngine.lnk

backup=c:\windows\pss\SuperHybridEngine.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDDMStatus.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk

backup=c:\windows\pss\WDDMStatus.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDSmartWare.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDSmartWare.lnk

backup=c:\windows\pss\WDSmartWare.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]

2010-09-16 19:03 4425048 ----a-w- c:\program files\AIM\aim.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-06-15 20:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

2007-10-18 16:34 5724184 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-03-19 02:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2010-05-13 20:12 26192168 ----a-r- c:\program files\Skype\Phone\Skype.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\U1_USB]

2008-04-25 20:16 200704 ----a-w- c:\program files\ASUS\AiGuru U1\AiGuru_U1usb.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2/6/2010 10:23 AM 84072]

R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2/6/2010 10:25 AM 54776]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [2/6/2010 10:23 AM 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [2/6/2010 10:23 AM 271480]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [2/6/2010 10:23 AM 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [2/6/2010 10:23 AM 141792]

R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [1/24/2010 6:10 PM 229688]

R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [8/17/2009 10:52 AM 98304]

R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 9:58 AM 20480]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2/6/2010 10:23 AM 55840]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2/6/2010 10:23 AM 313288]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2/6/2010 10:23 AM 88544]

R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [12/4/2008 8:34 PM 704384]

S2 0068531303917095mcinstcleanup;McAfee Application Installer Cleanup (0068531303917095);c:\windows\TEMP\006853~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\006853~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [2/6/2010 10:23 AM 271480]

S2 Norton Internet Security;Norton Internet Security;"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 --> c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [?]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2/6/2010 10:23 AM 88544]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2/6/2010 10:23 AM 84264]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [3/15/2010 9:51 PM 11520]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - mfeavfk01

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-09 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

FF - ProfilePath - c:\documents and settings\Melissa\Application Data\Mozilla\Firefox\Profiles\8ry03z6f.default\

FF - prefs.js: browser.search.selectedEngine - Secure Search

FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor

FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

MSConfigStartUp-avgnt - c:\program files\Avira\AntiVir Desktop\avgnt.exe

MSConfigStartUp-Spyware Doctor with AntiVirus - c:\documents and settings\Melissa\Desktop\sdasetup_revwire207.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-09 16:15

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]

"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2011-05-09 16:18:51

ComboFix-quarantined-files.txt 2011-05-09 20:18

.

Pre-Run: 65,952,468,992 bytes free

Post-Run: 65,982,451,712 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

.

- - End Of File - - BF944504B8385D348ECBA60D0897A4E0

Now the DDs log:

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Melissa at 16:36:00.15 on Mon 05/09/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.416 [GMT -4:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

C:\Program Files\McAfee Online Backup\MOBKbackup.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe

C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\WINDOWS\System32\vssvc.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Elantech\ETDCtrl.exe

C:\Program Files\Elantech\ETDDect.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe

C:\Program Files\EeePC\ACPI\AsEPCMon.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\WINDOWS\system32\igfxext.exe

C:\Program Files\EeePC\ACPI\AsTray.exe

C:\Documents and Settings\Melissa\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uInternet Settings,ProxyOverride = *.local

mURLSearchHooks: H - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101104230526.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll

BHO: 1 (0x1) - No File

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [ETDWare] c:\program files\elantech\ETDCtrl.exe

mRun: [ETDWareDetect] c:\program files\elantech\ETDDect.exe

mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe

mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe

mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\melissa\applic~1\mozilla\firefox\profiles\8ry03z6f.default\

FF - prefs.js: browser.search.selectedEngine - Secure Search

FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

FF - plugin: c:\documents and settings\melissa\local settings\application data\yahoo!\browserplus\2.9.2\plugins\npybrowserplus_2.9.2.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor

FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

.

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 386840]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-2-6 84072]

R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2010-2-6 54776]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-2-6 271480]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-2-6 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-2-6 271480]

R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-2-6 271480]

R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-2-6 171168]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-2-6 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-2-6 141792]

R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-1-24 229688]

R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-8-17 98304]

R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-2-6 55840]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-2-6 152960]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-2-6 52104]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-2-6 313288]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-2-6 88544]

R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2008-12-4 704384]

S2 0068531303917095mcinstcleanup;McAfee Application Installer Cleanup (0068531303917095);c:\windows\temp\006853~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\006853~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]

S2 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-2-6 88544]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-2-6 84264]

S3 NAVENG;NAVENG;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20080829.024\naveng.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20080829.024\NAVENG.SYS [?]

S3 NAVEX15;NAVEX15;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20080829.024\navex15.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20080829.024\NAVEX15.SYS [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-3-15 11520]

.

=============== Created Last 30 ================

.

2011-05-09 20:03:44 -------- d-sha-r- C:\cmdcons

2011-04-27 20:39:52 -------- d-----w- c:\windows\system32\NtmsData

2011-04-27 15:44:33 -------- d-----w- c:\docume~1\melissa\applic~1\Malwarebytes

2011-04-27 15:44:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-04-27 15:44:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-04-27 14:38:07 98816 ----a-w- c:\windows\sed.exe

2011-04-27 14:38:07 89088 ----a-w- c:\windows\MBR.exe

2011-04-27 14:38:07 256512 ----a-w- c:\windows\PEV.exe

2011-04-27 14:38:07 161792 ----a-w- c:\windows\SWREG.exe

2011-04-24 04:05:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

2011-04-13 22:40:10 4284416 ----a-w- c:\windows\system32\GPhotos.scr

.

==================== Find3M ====================

.

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll

2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-02-22 23:06:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec

2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll

2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll

2008-05-07 08:34:00 15523560 ----a-w- c:\program files\U1 Setup.exe

.

============= FINISH: 16:39:25.09 ===============

Link to post
Share on other sites

  • Staff

Hi,

Did you previously have Norton installed? I see remnants of it leftover.

You can run Norton's removal tool from here.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Thank you very much for your help. Here are the two logs. It appears that everything is running well now, but there could be something lurking somewhere.

Please let me know what to do next. Thanks!

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - delete file error:The process cannot access the file because it is being used by another process.

OnlineScanner.ocx - copy file error :The process cannot access the file because it is being used by another process.

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6427

# api_version=3.0.2

# EOSSerial=21f8c1dfa6cc6a429f13ad451cf3a424

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=false

# utc_time=2011-05-13 01:43:37

# local_time=2011-05-12 09:43:37 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=5121 16777173 100 75 11826863 34401986 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=78427

# found=0

# cleaned=0

# scan_time=3154

Second scan

Results of screen317's Security Check version 0.99.10

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

ESET Online Scanner v3

McAfee Internet Security

McAfee Online Backup

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 22

Out of date Java installed!

Adobe Flash Player 10.2.159.1

Adobe Reader 8.1.4

Out of date Adobe Reader installed!

Mozilla Firefox (3.6.17) Firefox Out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

McAfee Online Backup MOBKbackup.exe

``````````End of Log````````````

Link to post
Share on other sites

  • Staff

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

Java

Link to post
Share on other sites

I have uninstalled all of those programs. The computer does not appear to have any issues any more. I hope that it is all figured out.

Thank you very much for your help! Please let me know if there is anything else to do.

Link to post
Share on other sites

  • Staff

Great news!

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.