BleepingComputer.com: Google links keep redirecting

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

Google links keep redirecting

#1 User is offline   Paisley Panda 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 15-March 11

Posted 18 March 2011 - 03:57 PM

I've been having a problem when trying to access sites via google. Generally after using a google seach if I try to access a site via the link on the search results page I get redirected to a site that I'm not trying to access. In most cases I'm redirected to advertisements.

A few months ago my PC started accessing web pages on its own. When it was on but no-one was using it the browser history would show loads of web pages being accessed. At other times pages would start to open on screen on their own. McAfee didn't find anything when scanning but Malwarebytes found and removed some infections which solved the initial problem. Since then however, the google problem has emerged and any scans I've performed have come up blank.

The DDS log is below. Any help would be appreciated.

Cheers, Tom.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Tom at 20:16:12.92 on 17/03/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1022.297 [GMT 0:00]
.
AV: McAfee VirusScan *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BT Home Computing\BTHomeComputing.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tom\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.sky.com
uSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
uWindow Title = Internet Explorer Provided By Sky Broadband
uSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uDefault_Page_URL = hxxp://www.sky.com
mDefault_Search_URL = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
mSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant =
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
mSearchAssistant =
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {089FD14D-132B-48FC-8861-0048AE113215} - No File
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [Yahoo! Pager] c:\progra~1\yahoo!\messen~1\ypager.exe -quiet
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [Motive SmartBridge] c:\progra~1\btbroa~2\smartb~1\BTHelpNotifier.exe
mRun: [DLBXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBXtime.dll,_RunDLLEntry@16
mRun: [dlbxmon.exe] "c:\program files\dell photo aio printer 962\dlbxmon.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bthome~1.lnk - c:\program files\bt home computing\BTHomeComputing.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\599\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
============= SERVICES / DRIVERS ===============
.
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-4 214664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-12-22 88176]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-12-22 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-12-22 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-12-22 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-12-22 35272]
S2 gupdate1ca0780a85c5674;Google Update Service (gupdate1ca0780a85c5674);c:\program files\google\update\GoogleUpdate.exe [2009-7-18 133104]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-12-22 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-12-22 40552]
S3 pohci13F;pohci13F; [x]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-12-22 606736]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 20:17:42.62 ===============

Attached File(s)

  • Attached File  ark.txt (98.05K)
    Number of downloads: 1

#2 User is offline   km2357 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 1,748
  • Joined: 13-January 08
  • Gender:Male
  • Location:California

Posted 23 March 2011 - 01:16 PM

Hello and welcome to Bleeping Computer.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please do the following:


Step # 1 Download and run DDS

Download DDS and save it to your desktop from here or here or here
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt

  • Save both reports to your desktop. Post them back to your topic.



Step # 2: Download and Run Gmer

Please download gmer.zip from Gmer and save it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure that the 'Sections' button is ticked and the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log.

  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.

  • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.


DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.


In your next post/reply, I need to see the following:

1. The two DDS Logs (DDS and Attach.txt)
2. The GMER Log

Use multiple posts if you can't fit everything into one post
MalWare Removal University Master
Member of ASAP
Posted Image

#3 User is offline   Paisley Panda 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 15-March 11

Posted 25 March 2011 - 12:58 PM

Hi and thanks for your offer of help. I've followed the steps you in your post and attach the reports created. You can let me know if this is what you need.

Cheers.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Tom at 19:39:39.40 on 24/03/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1022.321 [GMT 0:00]
.
AV: McAfee VirusScan *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BT Home Computing\BTHomeComputing.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tom\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.sky.com
uSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
uWindow Title = Internet Explorer Provided By Sky Broadband
uSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uDefault_Page_URL = hxxp://www.sky.com
mDefault_Search_URL = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
mSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant =
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
mSearchAssistant =
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {089FD14D-132B-48FC-8861-0048AE113215} - No File
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [Yahoo! Pager] c:\progra~1\yahoo!\messen~1\ypager.exe -quiet
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [Motive SmartBridge] c:\progra~1\btbroa~2\smartb~1\BTHelpNotifier.exe
mRun: [DLBXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBXtime.dll,_RunDLLEntry@16
mRun: [dlbxmon.exe] "c:\program files\dell photo aio printer 962\dlbxmon.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bthome~1.lnk - c:\program files\bt home computing\BTHomeComputing.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\599\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
============= SERVICES / DRIVERS ===============
.
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-4 214664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-12-22 88176]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-12-22 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-12-22 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-12-22 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-12-22 35272]
S2 gupdate1ca0780a85c5674;Google Update Service (gupdate1ca0780a85c5674);c:\program files\google\update\GoogleUpdate.exe [2009-7-18 133104]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-12-22 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-12-22 40552]
S3 pohci13F;pohci13F; [x]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-12-22 606736]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 19:41:20.28 ===============

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-03-24 22:47:53
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e Maxtor_7L250S0 rev.BACE1G10
Running: gmer.exe; Driver: C:\DOCUME~1\Tom\LOCALS~1\Temp\fxtyapob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEE33778A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xEE337821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEE337738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEE33774C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xEE337835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xEE337861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xEE3378CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xEE3378B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEE3377CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xEE3378FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xEE33780D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEE337710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEE337724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEE33779E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xEE337937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xEE3378A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xEE33788D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xEE33784B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xEE337923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xEE33790F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEE337776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEE337762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xEE337877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEE3377F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xEE3378E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEE3377E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEE3377B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP EE3377B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 805790A8 5 Bytes JMP EE33778E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B203A 7 Bytes JMP EE3377CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E48 5 Bytes JMP EE3377E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B841E 7 Bytes JMP EE3377A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB440 5 Bytes JMP EE337714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB6CC 5 Bytes JMP EE337728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE8A 5 Bytes JMP EE337766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D117A 7 Bytes JMP EE337750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D1230 5 Bytes JMP EE33773C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D173A 5 Bytes JMP EE33777A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29E2 5 Bytes JMP EE3377FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 80622314 7 Bytes JMP EE337891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80622662 7 Bytes JMP EE33787B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 8062298C 7 Bytes JMP EE3378E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 8062323E 7 Bytes JMP EE3378A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80623B12 7 Bytes JMP EE33784F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806240F0 5 Bytes JMP EE337825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8062458C 7 Bytes JMP EE337839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8062475C 7 Bytes JMP EE337865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 8062493C 7 Bytes JMP EE3378D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 80624BA6 7 Bytes JMP EE3378BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 806254CE 5 Bytes JMP EE337811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80625810 7 Bytes JMP EE33793B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 80625AD0 5 Bytes JMP EE337913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 806261C4 5 Bytes JMP EE337927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 806262DE 5 Bytes JMP EE3378FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xF7885760]
? C:\DOCUME~1\Tom\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[256] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F80FEF
.text C:\WINDOWS\System32\svchost.exe[256] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F80F55
.text C:\WINDOWS\System32\svchost.exe[256] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F8004A
.text C:\WINDOWS\System32\svchost.exe[256] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F80F7C
.text C:\WINDOWS\System32\svchost.exe[256] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F80F8D
.text C:\WINDOWS\System32\svchost.exe[256] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F80FB9
.text C:\WINDOWS\System32\svchost.exe[256] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F8008C
.text C:\WINDOWS\System32\svchost.exe[256] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F80065
.text C:\WINDOWS\System32\svchost.exe[256] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F80F15
.text C:\WINDOWS\System32\svchost.exe[256] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F800AE
.text C:\WINDOWS\System32\svchost.exe[256] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F800D3
.text C:\WINDOWS\System32\svchost.exe[256] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F80FA8
.text C:\WINDOWS\System32\svchost.exe[256] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F80FDE
.text C:\WINDOWS\System32\svchost.exe[256] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F80F3A
.text C:\WINDOWS\System32\svchost.exe[256] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F80025
.text C:\WINDOWS\System32\svchost.exe[256] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F80014
.text C:\WINDOWS\System32\svchost.exe[256] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F8009D
.text C:\WINDOWS\System32\svchost.exe[256] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F7001B
.text C:\WINDOWS\System32\svchost.exe[256] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F70F79
.text C:\WINDOWS\System32\svchost.exe[256] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F7000A
.text C:\WINDOWS\System32\svchost.exe[256] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F70FCA
.text C:\WINDOWS\System32\svchost.exe[256] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F70F94
.text C:\WINDOWS\System32\svchost.exe[256] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F70FE5
.text C:\WINDOWS\System32\svchost.exe[256] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F7002C
.text C:\WINDOWS\System32\svchost.exe[256] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F70FA5
.text C:\WINDOWS\System32\svchost.exe[256] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006C0047
.text C:\WINDOWS\System32\svchost.exe[256] msvcrt.dll!system 77C293C7 5 Bytes JMP 006C002C
.text C:\WINDOWS\System32\svchost.exe[256] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006C0FC6
.text C:\WINDOWS\System32\svchost.exe[256] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006C0FE3
.text C:\WINDOWS\System32\svchost.exe[256] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006C001B
.text C:\WINDOWS\System32\svchost.exe[256] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006C0000
.text C:\WINDOWS\System32\svchost.exe[256] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006B0FEF
.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CA000A
.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CA0F95
.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CA008A
.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CA0FA6
.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CA0FC3
.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CA0FDE
.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CA0F78
.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CA00C0
.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CA0F31
.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CA0F56
.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CA0F20
.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CA0065
.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CA0025
.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CA00AF
.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CA0040
.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\system32\services.exe[700] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CA0F67
.text C:\WINDOWS\system32\services.exe[700] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C90036
.text C:\WINDOWS\system32\services.exe[700] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C90F94
.text C:\WINDOWS\system32\services.exe[700] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C90025
.text C:\WINDOWS\system32\services.exe[700] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\system32\services.exe[700] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C90FAF
.text C:\WINDOWS\system32\services.exe[700] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C9000A
.text C:\WINDOWS\system32\services.exe[700] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C90FCA
.text C:\WINDOWS\system32\services.exe[700] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes JMP C89FEDE5
.text C:\WINDOWS\system32\services.exe[700] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C90051
.text C:\WINDOWS\system32\services.exe[700] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C80064
.text C:\WINDOWS\system32\services.exe[700] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C80053
.text C:\WINDOWS\system32\services.exe[700] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C80027
.text C:\WINDOWS\system32\services.exe[700] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\system32\services.exe[700] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C80038
.text C:\WINDOWS\system32\services.exe[700] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C8000C
.text C:\WINDOWS\system32\services.exe[700] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C40000
.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C40089
.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C4006E
.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C4005D
.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C40040
.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C40FAF
.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C40F4B
.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C40F68
.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C40F30
.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C400C9
.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C400E4
.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C40F94
.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C4001B
.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C40F79
.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C40FC0
.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C40FE5
.text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C400AE
.text C:\WINDOWS\system32\lsass.exe[712] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C3001E
.text C:\WINDOWS\system32\lsass.exe[712] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C30054
.text C:\WINDOWS\system32\lsass.exe[712] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C30FCD
.text C:\WINDOWS\system32\lsass.exe[712] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C30FDE
.text C:\WINDOWS\system32\lsass.exe[712] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C30F97
.text C:\WINDOWS\system32\lsass.exe[712] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C30FEF
.text C:\WINDOWS\system32\lsass.exe[712] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C30FA8
.text C:\WINDOWS\system32\lsass.exe[712] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E3, 88] {JECXZ 0xffffffffffffff8a}
.text C:\WINDOWS\system32\lsass.exe[712] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C3002F
.text C:\WINDOWS\system32\lsass.exe[712] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C2004E
.text C:\WINDOWS\system32\lsass.exe[712] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C2003D
.text C:\WINDOWS\system32\lsass.exe[712] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C20FCD
.text C:\WINDOWS\system32\lsass.exe[712] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\lsass.exe[712] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C2002C
.text C:\WINDOWS\system32\lsass.exe[712] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C20FDE
.text C:\WINDOWS\system32\lsass.exe[712] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C10FEF
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B20FE5
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B20F6F
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B20064
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B20F80
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B2003D
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B2002C
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B20F26
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B20F43
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B200B5
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B200A4
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B200D0
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B20F9B
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B20000
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B20F54
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B20FCA
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B2001B
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B20089
.text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B10FAF
.text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B10F76
.text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B10FCA
.text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B10000
.text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B1003D
.text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B10FEF
.text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B1002C
.text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B1001B
.text C:\WINDOWS\system32\svchost.exe[912] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B00F9C
.text C:\WINDOWS\system32\svchost.exe[912] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B0001D
.text C:\WINDOWS\system32\svchost.exe[912] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B0000C
.text C:\WINDOWS\system32\svchost.exe[912] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B00FEF
.text C:\WINDOWS\system32\svchost.exe[912] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B00FAD
.text C:\WINDOWS\system32\svchost.exe[912] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B00FD2
.text C:\WINDOWS\system32\svchost.exe[912] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AF0FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[940] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[940] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C10000
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C10F9C
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C10FAD
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C10FBE
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C1007D
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C10047
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C10F5F
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C10F70
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C10F3D
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C100CC
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C10F2C
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C1006C
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C10011
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C10F81
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C10FDB
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C10022
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C10F4E
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C00025
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C00F83
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C00FD4
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C00040
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C0000A
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C00FA8
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E0, 88] {LOOPNZ 0xffffffffffffff8a}
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C00FB9
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BF0F86
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BF0F97
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BF0FE3
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BF0011
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BF0FC6
.text C:\WINDOWS\system32\svchost.exe[1016] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 021F000A
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 021F0078
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 021F0F8D
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 021F0F9E
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 021F0FAF
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 021F0047
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 021F00CB
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 021F00B0
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 021F0F3C
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 021F0F57
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 021F00F0
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 021F0FC0
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 021F0FE5
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 021F0089
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 021F002C
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 021F001B
.text C:\WINDOWS\System32\svchost.exe[1116] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 021F0F68
.text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0193001B
.text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01930F94
.text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01930FCA
.text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01930FE5
.text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01930051
.text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01930000
.text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01930040
.text C:\WINDOWS\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01930FB9
.text C:\WINDOWS\System32\svchost.exe[1116] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C20FA8
.text C:\WINDOWS\System32\svchost.exe[1116] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C20FC3
.text C:\WINDOWS\System32\svchost.exe[1116] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C20FDE
.text C:\WINDOWS\System32\svchost.exe[1116] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\System32\svchost.exe[1116] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C20033
.text C:\WINDOWS\System32\svchost.exe[1116] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C20018
.text C:\WINDOWS\System32\svchost.exe[1116] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C10FEF
.text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00C00000
.text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00C00FE5
.text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00C0001B
.text C:\WINDOWS\System32\svchost.exe[1116] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00C00FD4
.text C:\WINDOWS\Explorer.EXE[1240] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E00FEF
.text C:\WINDOWS\Explorer.EXE[1240] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E00F8B
.text C:\WINDOWS\Explorer.EXE[1240] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E00080
.text C:\WINDOWS\Explorer.EXE[1240] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E00065
.text C:\WINDOWS\Explorer.EXE[1240] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E00FB2
.text C:\WINDOWS\Explorer.EXE[1240] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E0004A
.text C:\WINDOWS\Explorer.EXE[1240] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E00F3F
.text C:\WINDOWS\Explorer.EXE[1240] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E00091
.text C:\WINDOWS\Explorer.EXE[1240] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E000CE
.text C:\WINDOWS\Explorer.EXE[1240] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E000BD
.text C:\WINDOWS\Explorer.EXE[1240] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E00F10
.text C:\WINDOWS\Explorer.EXE[1240] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E00FCD
.text C:\WINDOWS\Explorer.EXE[1240] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E0000A
.text C:\WINDOWS\Explorer.EXE[1240] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E00F66
.text C:\WINDOWS\Explorer.EXE[1240] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E00FDE
.text C:\WINDOWS\Explorer.EXE[1240] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E00025
.text C:\WINDOWS\Explorer.EXE[1240] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E000A2
.text C:\WINDOWS\Explorer.EXE[1240] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DF0FCD
.text C:\WINDOWS\Explorer.EXE[1240] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DF0062
.text C:\WINDOWS\Explorer.EXE[1240] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DF0FDE
.text C:\WINDOWS\Explorer.EXE[1240] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DF0FEF
.text C:\WINDOWS\Explorer.EXE[1240] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DF0051
.text C:\WINDOWS\Explorer.EXE[1240] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DF000A
.text C:\WINDOWS\Explorer.EXE[1240] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00DF0040
.text C:\WINDOWS\Explorer.EXE[1240] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DF002F
.text C:\WINDOWS\Explorer.EXE[1240] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DE0FB4
.text C:\WINDOWS\Explorer.EXE[1240] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DE003F
.text C:\WINDOWS\Explorer.EXE[1240] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DE001D
.text C:\WINDOWS\Explorer.EXE[1240] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DE0FEF
.text C:\WINDOWS\Explorer.EXE[1240] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DE002E
.text C:\WINDOWS\Explorer.EXE[1240] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DE0000
.text C:\WINDOWS\Explorer.EXE[1240] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00DC0000
.text C:\WINDOWS\Explorer.EXE[1240] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00DC0FE5
.text C:\WINDOWS\Explorer.EXE[1240] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00DC0FD4
.text C:\WINDOWS\Explorer.EXE[1240] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00DC0FB9
.text C:\WINDOWS\Explorer.EXE[1240] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DD0000
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C60F74
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C60F85
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C60069
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C60FB6
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C60FD1
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C60F43
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C60095
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C600D2
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C600C1
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C600F7
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C60058
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C6001B
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C60084
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C60047
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C6002C
.text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C600B0
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C50FC0
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C5005B
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C50011
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C50000
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C50040
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C50F94
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E5, 88] {IN EAX, 0x88}
.text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C50FA5
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C40025
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C40FA4
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C4000A
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C40FE3
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C40FB5
.text C:\WINDOWS\system32\svchost.exe[1356] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C40FC6
.text C:\WINDOWS\system32\svchost.exe[1356] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C70F61
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C70F72
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C70040
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C70F83
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C70F9E
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C7008C
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C70F3A
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C70F29
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C700B8
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C700E7
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C70025
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C7000A
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C70071
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C70FC3
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C70FD4
.text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C7009D
.text C:\WINDOWS\system32\svchost.exe[1620] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C60FD4
.text C:\WINDOWS\system32\svchost.exe[1620] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C60F7C
.text C:\WINDOWS\system32\svchost.exe[1620] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C60025
.text C:\WINDOWS\system32\svchost.exe[1620] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\svchost.exe[1620] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C60FA1
.text C:\WINDOWS\system32\svchost.exe[1620] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\svchost.exe[1620] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C60FB2
.text C:\WINDOWS\system32\svchost.exe[1620] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E6, 88] {OUT 0x88, AL}
.text C:\WINDOWS\system32\svchost.exe[1620] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C60FC3
.text C:\WINDOWS\system32\svchost.exe[1620] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C50049
.text C:\WINDOWS\system32\svchost.exe[1620] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C50038
.text C:\WINDOWS\system32\svchost.exe[1620] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C5001D
.text C:\WINDOWS\system32\svchost.exe[1620] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C50000
.text C:\WINDOWS\system32\svchost.exe[1620] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C50FC8
.text C:\WINDOWS\system32\svchost.exe[1620] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C50FE3
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C40000
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C40F46
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C40F57
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C40F72
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C40F8D
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C40FAF
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C4007B
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C40060
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C40EFA
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C4009D
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C40EDF
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C40F9E
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C40FE5
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C40F35
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C40FCA
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C4001B
.text C:\WINDOWS\system32\svchost.exe[1996] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C4008C
.text C:\WINDOWS\system32\svchost.exe[1996] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C30025
.text C:\WINDOWS\system32\svchost.exe[1996] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C30047
.text C:\WINDOWS\system32\svchost.exe[1996] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C30FCA
.text C:\WINDOWS\system32\svchost.exe[1996] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C30FE5
.text C:\WINDOWS\system32\svchost.exe[1996] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C30F8A
.text C:\WINDOWS\system32\svchost.exe[1996] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\svchost.exe[1996] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C30FAF
.text C:\WINDOWS\system32\svchost.exe[1996] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E3, 88] {JECXZ 0xffffffffffffff8a}
.text C:\WINDOWS\system32\svchost.exe[1996] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C30036
.text C:\WINDOWS\system32\svchost.exe[1996] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C20053
.text C:\WINDOWS\system32\svchost.exe[1996] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C20FD2
.text C:\WINDOWS\system32\svchost.exe[1996] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C2001D
.text C:\WINDOWS\system32\svchost.exe[1996] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\svchost.exe[1996] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C20042
.text C:\WINDOWS\system32\svchost.exe[1996] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C20000
.text C:\WINDOWS\system32\svchost.exe[1996] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[1996] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00C00FDE
.text C:\WINDOWS\system32\svchost.exe[1996] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00C00FCD
.text C:\WINDOWS\system32\svchost.exe[1996] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00C00FBC
.text C:\WINDOWS\system32\svchost.exe[1996] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C10000
.text C:\Program Files\Messenger\msmsgs.exe[2276] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\Program Files\Messenger\msmsgs.exe[2276] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F6D
.text C:\Program Files\Messenger\msmsgs.exe[2276] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0062
.text C:\Program Files\Messenger\msmsgs.exe[2276] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F88
.text C:\Program Files\Messenger\msmsgs.exe[2276] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0047
.text C:\Program Files\Messenger\msmsgs.exe[2276] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A001B
.text C:\Program Files\Messenger\msmsgs.exe[2276] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F3A
.text C:\Program Files\Messenger\msmsgs.exe[2276] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F4B
.text C:\Program Files\Messenger\msmsgs.exe[2276] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00B8
.text C:\Program Files\Messenger\msmsgs.exe[2276] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00A7
.text C:\Program Files\Messenger\msmsgs.exe[2276] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00C9
.text C:\Program Files\Messenger\msmsgs.exe[2276] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0036
.text C:\Program Files\Messenger\msmsgs.exe[2276] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0000
.text C:\Program Files\Messenger\msmsgs.exe[2276] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F5C
.text C:\Program Files\Messenger\msmsgs.exe[2276] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FB9
.text C:\Program Files\Messenger\msmsgs.exe[2276] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FCA
.text C:\Program Files\Messenger\msmsgs.exe[2276] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0F1F
.text C:\Program Files\Messenger\msmsgs.exe[2276] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290FAD
.text C:\Program Files\Messenger\msmsgs.exe[2276] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290FBE
.text C:\Program Files\Messenger\msmsgs.exe[2276] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00290FD9
.text C:\Program Files\Messenger\msmsgs.exe[2276] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0029000C
.text C:\Program Files\Messenger\msmsgs.exe[2276] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0029002E
.text C:\Program Files\Messenger\msmsgs.exe[2276] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0029001D
.text C:\Program Files\Messenger\msmsgs.exe[2276] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A002F
.text C:\Program Files\Messenger\msmsgs.exe[2276] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A006C
.text C:\Program Files\Messenger\msmsgs.exe[2276] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0FD4
.text C:\Program Files\Messenger\msmsgs.exe[2276] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0000
.text C:\Program Files\Messenger\msmsgs.exe[2276] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0051
.text C:\Program Files\Messenger\msmsgs.exe[2276] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0FEF
.text C:\Program Files\Messenger\msmsgs.exe[2276] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002A0040
.text C:\Program Files\Messenger\msmsgs.exe[2276] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0FB9
.text C:\Program Files\Messenger\msmsgs.exe[2276] WS2_32.dll!socket 71AB4211 5 Bytes JMP 002B0FEF
.text C:\Program Files\Messenger\msmsgs.exe[2276] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002C0FEF
.text C:\Program Files\Messenger\msmsgs.exe[2276] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002C000A
.text C:\Program Files\Messenger\msmsgs.exe[2276] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002C0FD4
.text C:\Program Files\Messenger\msmsgs.exe[2276] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 002C0025
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00260FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00260093
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00260082
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00260F9E
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0026005B
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00260036
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00260F5C
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00260F83
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 002600EB
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 002600D0
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 002600FC
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00260FAF
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00260000
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 002600AE
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0026001B
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00260FC0
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 002600BF
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00350FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00350058
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00350036
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00350011
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00350F9B
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00350000
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00350047
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00350FC0
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9B15 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD16D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!DrawTextExW 7E42B415 5 Bytes JMP 00DDC510
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB6C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254666 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!DrawTextW 7E42D7E2 5 Bytes JMP 00DDC34C
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!SetClipboardData 7E430F9E 5 Bytes JMP 00DDBFC3
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E502F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F61 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4FCC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!DrawTextA 7E43C702 5 Bytes JMP 00DDC270
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!DrawTextExA 7E43C739 5 Bytes JMP 00DDC428
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4E32 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E94 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5092 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EF6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] GDI32.dll!TextOutW 77F17EAC 5 Bytes JMP 00DDC1A3
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] GDI32.dll!ExtTextOutW 77F18086 5 Bytes JMP 00DDC6DD
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] GDI32.dll!TextOutA 77F1BA4F 5 Bytes JMP 00DDC0D6
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] GDI32.dll!ExtTextOutA 77F1D3FA 5 Bytes JMP 00DDC5F8
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] GDI32.dll!GetGlyphIndicesA 77F3DFE3 5 Bytes JMP 00DDCA94
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] GDI32.dll!GetGlyphIndicesW 77F52604 5 Bytes JMP 00DDCB5E
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00360F90
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] msvcrt.dll!system 77C293C7 5 Bytes JMP 00360FAB
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00360FD7
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00360000
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00360FBC
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00360011
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBC8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E53B0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 04112D10 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04112BF0 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04112EB0 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 04112FB0 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (SiteAdvisor/McAfee, Inc.)
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00A20FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00A20FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00A2001E
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00A20039
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00DDB1A3
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00DDBF35
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E30FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00DDBC3D
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00DDBE4E
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00DDB0E6
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] WS2_32.dll!recv 71AB676F 2 Bytes JMP 00DDBCE3
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] WS2_32.dll!recv + 3 71AB6772 2 Bytes [32, 8F]
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00DDBD8D
.text C:\Program Files\Internet Explorer\iexplore.exe[3368] WS2_32.dll!WSAAsyncGetHostByName 71ABE99D 5 Bytes JMP 00DDB56A
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0026000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0026008E
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0026007D
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0026006C
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00260FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00260040
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 002600D7
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 002600C6
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00260F48
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00260F59
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 002600FC
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00260051
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00260025
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 002600A9
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00260FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00260FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00260F7E
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00350FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00350F83
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00350FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0035000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00350F94
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00350FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00350036
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00350025
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] USER32.dll!DrawTextExW 7E42B415 5 Bytes JMP 00DDC510
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB6C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] USER32.dll!DrawTextW 7E42D7E2 5 Bytes JMP 00DDC34C
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] USER32.dll!SetClipboardData 7E430F9E 5 Bytes JMP 00DDBFC3
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E502F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F61 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4FCC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] USER32.dll!DrawTextA 7E43C702 5 Bytes JMP 00DDC270
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] USER32.dll!DrawTextExA 7E43C739 5 Bytes JMP 00DDC428
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4E32 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E94 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5092 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EF6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] GDI32.dll!TextOutW 77F17EAC 5 Bytes JMP 00DDC1A3
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] GDI32.dll!ExtTextOutW 77F18086 5 Bytes JMP 00DDC6DD
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] GDI32.dll!TextOutA 77F1BA4F 5 Bytes JMP 00DDC0D6
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] GDI32.dll!ExtTextOutA 77F1D3FA 5 Bytes JMP 00DDC5F8
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] GDI32.dll!GetGlyphIndicesA 77F3DFE3 5 Bytes JMP 00DDCA94
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] GDI32.dll!GetGlyphIndicesW 77F52604 5 Bytes JMP 00DDCB5E
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00360070
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] msvcrt.dll!system 77C293C7 5 Bytes JMP 00360055
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0036003A
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0036000C
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00360FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0036001D
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00A20FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00A2000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00A2001B
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] WININET.dll!InternetOpenUrlW 3D9A6D77 5 Bytes JMP 00A2002C
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00DDB1A3
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00DDBF35
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E20000
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00DDBC3D
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00DDBE4E
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00DDB0E6
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] WS2_32.dll!recv 71AB676F 2 Bytes JMP 00DDBCE3
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] WS2_32.dll!recv + 3 71AB6772 2 Bytes [32, 8F]
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00DDBD8D
.text C:\Program Files\Internet Explorer\iexplore.exe[3872] WS2_32.dll!WSAAsyncGetHostByName 71ABE99D 5 Bytes JMP 00DDB56A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[3272] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602723] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[3272] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602640] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[3272] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [636022E2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[3272] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602687] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[3272] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602723] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[3272] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602640] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[3272] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [636022E2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[3272] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602687] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[3272] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [63602640] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[3272] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [63602687] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[3272] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [636022E2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[3272] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [63602723] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[3272] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [636026CE] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[3272] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [636015B4] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[3272] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [63601F71] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[3272] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [63601EA6] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[3272] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [63601F47] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[3272] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [6360158D] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[3272] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [636026CE] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[3272] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602723] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[3272] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602687] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[3272] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602640] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[3272] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [636022E2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[3272] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [63601F71] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[3272] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [63601F47] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[3272] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [63601EA6] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[3272] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [6360158D] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[3272] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [636015B4] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Internet Explorer\iexplore.exe[3368] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat BA4F7D20
Device \FileSystem\Fastfat \Fat BA507428

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

Attached File(s)


#4 User is offline   km2357 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 1,748
  • Joined: 13-January 08
  • Gender:Male
  • Location:California

Posted 25 March 2011 - 01:16 PM

Thanks for posting the logs. :)


Step # 1: Disable Teatimer

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

This is a two step process.
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the version 1.5 or 1.6, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident


Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.



Step # 2: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log for you. Please post C:\ComboFix.txt in your next reply.
MalWare Removal University Master
Member of ASAP
Posted Image

#5 User is offline   Paisley Panda 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 15-March 11

Posted 26 March 2011 - 10:37 AM

Thanks for the quick response. You're obviously too busy with all these logs to move away from your PC - you should move to Scotland, the weather here means you don't want to move away from your PC :lol:

Combo fix log is below. I did did get a few few McAfee warnings about Registry changes towards the end, so if i've not disabled that properly let me know.

Cheers,

ComboFix 11-03-23.04 - Tom 26/03/2011 15:03:56.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1022.436 [GMT 0:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
AV: McAfee VirusScan *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc10.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc11.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc12.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc14.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc15.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc1F.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc20.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc21.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc22.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc23.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc24.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc25.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc26.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc27.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc28.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc29.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc2A.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc2B.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc2C.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc2D.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc2E.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc2F.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc30.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc31.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc32.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc33.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc34.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc35.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc36.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc37.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc38.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc39.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc3A.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc3B.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc3C.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc3D.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc3E.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc3F.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc40.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc41.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc42.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc43.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc44.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc45.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc46.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc47.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc48.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc49.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc4A.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc4B.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc4C.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc4D.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc4E.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc4F.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc50.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc51.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc52.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc53.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc54.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc55.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc56.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc57.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc58.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc59.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc5A.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc5B.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc5C.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc5D.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc5E.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc5F.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc60.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc61.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc62.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc63.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc64.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc65.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc66.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc67.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc68.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc69.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc6A.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc6B.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc6C.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc6D.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc6E.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc6F.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc70.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc71.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc72.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc73.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc74.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc75.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc76.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc77.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc78.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc79.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc7A.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc7B.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc7C.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc7D.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc7E.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc7F.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc80.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc81.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc82.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc83.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc84.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mcc91.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mccA9.tmp
c:\documents and settings\Tom\Local Settings\Temporary Internet Files\mccBD.tmp
c:\windows\Google Pack Screensaver Uninstaller.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-26 to 2011-03-26 )))))))))))))))))))))))))))))))
.
.
2011-03-11 20:31 . 2011-03-11 20:34 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-10 12:51 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-10 12:51 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2004-08-10 13:01 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-10 13:01 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-10 12:51 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-10 12:50 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-10 12:51 1854976 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\ypager.exe" [2005-08-31 2478080]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-30 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"Motive SmartBridge"="c:\progra~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 462935]
"DLBXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2004-12-07 69632]
"dlbxmon.exe"="c:\program files\Dell Photo AIO Printer 962\dlbxmon.exe" [2005-01-18 425984]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-08 47904]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-07 1176808]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-29 202256]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BT Home Computing.lnk - c:\program files\BT Home Computing\BTHomeComputing.exe [2005-7-27 10240]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-12-22 12:59 13672 ----a-w- c:\program files\Citrix\GoToAssist\599\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpBrowser.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpNotifier.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [22/12/2009 13:30 88176]
S2 gupdate1ca0780a85c5674;Google Update Service (gupdate1ca0780a85c5674);c:\program files\Google\Update\GoogleUpdate.exe [18/07/2009 08:18 133104]
S3 pohci13F;pohci13F; [x]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 03:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2010-09-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]
.
2011-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-18 08:17]
.
2011-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-18 08:17]
.
2009-12-22 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-22 12:22]
.
2009-12-22 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-22 12:22]
.
2011-03-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1052084855-908235394-1647191414-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2011-03-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1052084855-908235394-1647191414-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2011-03-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1052084855-908235394-1647191414-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2011-03-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1052084855-908235394-1647191414-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2011-03-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1052084855-908235394-1647191414-1010.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2011-03-26 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1052084855-908235394-1647191414-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2011-03-24 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1052084855-908235394-1647191414-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2011-03-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1052084855-908235394-1647191414-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2011-03-26 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1052084855-908235394-1647191414-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2011-02-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1052084855-908235394-1647191414-1010.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sky.com
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant =
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
ShellIconOverlayIdentifiers-{B8A03725-03B9-485F-BB22-E848799D4C2A} - c:\documents and settings\Tom\Local Settings\Application Data\Valued Opinions\PanelApp\PanelApp_0600.2007.0517.1434.dll
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-Google Pack Screensaver - c:\windows\Google Pack Screensaver Uninstaller.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-26 15:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(656)
c:\program files\Citrix\GoToAssist\599\G2AWinLogon.dll
.
Completion time: 2011-03-26 15:23:33
ComboFix-quarantined-files.txt 2011-03-26 15:23
.
Pre-Run: 158,504,542,208 bytes free
Post-Run: 161,711,808,512 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30
.
- - End Of File - - C19A31B31839B0869623ED653AC50D8D

#6 User is offline   km2357 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 1,748
  • Joined: 13-January 08
  • Gender:Male
  • Location:California

Posted 26 March 2011 - 12:08 PM

Step # 1: Run CFScript

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below: 

    KILLALL::

DDS::

mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
BHO: {089FD14D-132B-48FC-8861-0048AE113215} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File



  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.




    Posted Image


    Note: This CFScript is for use on Paisely Panda's computer only! Do not use it on your computer.


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


In your next post/reply, I need to see the following:

1. The ComboFix Log that appears after Step 1 has been completed.
2. A fresh DDS Log taken after Step 1 has been completed.
MalWare Removal University Master
Member of ASAP
Posted Image

#7 User is offline   Paisley Panda 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 15-March 11

Posted 26 March 2011 - 04:03 PM

The two logs are as follows.

Cheers,

ComboFix 11-03-23.04 - Tom 26/03/2011 20:25:56.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1022.472 [GMT 0:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tom\Desktop\CFScript.txt
AV: McAfee VirusScan *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((( Files Created from 2011-02-26 to 2011-03-26 )))))))))))))))))))))))))))))))
.
.
2011-03-11 20:31 . 2011-03-11 20:34 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-10 12:51 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-10 12:51 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2004-08-10 13:01 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-10 13:01 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-10 12:51 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-10 12:50 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-10 12:51 1854976 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\ypager.exe" [2005-08-31 2478080]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-30 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"Motive SmartBridge"="c:\progra~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 462935]
"DLBXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2004-12-07 69632]
"dlbxmon.exe"="c:\program files\Dell Photo AIO Printer 962\dlbxmon.exe" [2005-01-18 425984]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-08 47904]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-07 1176808]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-29 202256]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BT Home Computing.lnk - c:\program files\BT Home Computing\BTHomeComputing.exe [2005-7-27 10240]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-12-22 12:59 13672 ----a-w- c:\program files\Citrix\GoToAssist\599\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpBrowser.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpNotifier.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [22/12/2009 13:30 88176]
S2 gupdate1ca0780a85c5674;Google Update Service (gupdate1ca0780a85c5674);c:\program files\Google\Update\GoogleUpdate.exe [18/07/2009 08:18 133104]
S3 pohci13F;pohci13F; [x]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 03:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2010-09-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]
.
2011-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-18 08:17]
.
2011-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-18 08:17]
.
2009-12-22 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-22 12:22]
.
2009-12-22 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-22 12:22]
.
2011-03-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1052084855-908235394-1647191414-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2011-03-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1052084855-908235394-1647191414-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2011-03-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1052084855-908235394-1647191414-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2011-03-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1052084855-908235394-1647191414-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2011-03-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1052084855-908235394-1647191414-1010.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2011-03-26 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1052084855-908235394-1647191414-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2011-03-24 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1052084855-908235394-1647191414-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2011-03-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1052084855-908235394-1647191414-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2011-03-26 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1052084855-908235394-1647191414-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2011-02-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1052084855-908235394-1647191414-1010.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sky.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant =
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-26 20:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(656)
c:\program files\Citrix\GoToAssist\599\G2AWinLogon.dll
.
- - - - - - - > 'explorer.exe'(1352)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\system32\UAService7.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\rundll32.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\stsystra.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\windows\system32\dlbxcoms.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-03-26 20:47:03 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-26 20:46
ComboFix2.txt 2011-03-26 15:23
.
Pre-Run: 161,787,973,632 bytes free
Post-Run: 161,772,924,928 bytes free
.
- - End Of File - - EFB2C06271FDA0A0447CACDFE764CA6E

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Tom at 20:51:48.73 on 26/03/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1022.398 [GMT 0:00]
.
AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\BT Home Computing\BTHomeComputing.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tom\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.sky.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant =
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [Yahoo! Pager] c:\progra~1\yahoo!\messen~1\ypager.exe -quiet
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [Motive SmartBridge] c:\progra~1\btbroa~2\smartb~1\BTHelpNotifier.exe
mRun: [DLBXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBXtime.dll,_RunDLLEntry@16
mRun: [dlbxmon.exe] "c:\program files\dell photo aio printer 962\dlbxmon.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bthome~1.lnk - c:\program files\bt home computing\BTHomeComputing.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\599\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
============= SERVICES / DRIVERS ===============
.
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-4 214664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-12-22 88176]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-12-22 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-12-22 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-12-22 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-12-22 35272]
S2 gupdate1ca0780a85c5674;Google Update Service (gupdate1ca0780a85c5674);c:\program files\google\update\GoogleUpdate.exe [2009-7-18 133104]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-12-22 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-12-22 40552]
S3 pohci13F;pohci13F; [x]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-12-22 606736]
.
=============== Created Last 30 ================
.
2011-03-26 15:00:34 -------- d-sha-r- C:\cmdcons
2011-03-26 14:52:57 98816 ----a-w- c:\windows\sed.exe
2011-03-26 14:52:57 89088 ----a-w- c:\windows\MBR.exe
2011-03-26 14:52:57 256512 ----a-w- c:\windows\PEV.exe
2011-03-26 14:52:57 161792 ----a-w- c:\windows\SWREG.exe
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 20:52:50.76 ===============

#8 User is offline   km2357 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 1,748
  • Joined: 13-January 08
  • Gender:Male
  • Location:California

Posted 26 March 2011 - 11:31 PM

Step # 1 Update Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u24.
  • Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Remove the following old versions of Java:


  • Java™ 6 Update 2

    Java™ 6 Update 3

    Java™ 6 Update 23


  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.

  • From your desktop double-click on the download to install the newest version.





Step # 2: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



Step # 3 Run Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware.
  • Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
  • Next click the Scanner tab and select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:

  • Click on the Malwarebytes' Anti-Malware icon to launch the program.
  • Click on the Logs tab.
  • Click on the log at the bottom of those listed to highlight it.
  • Click Open.



Post the MalwareBytes' Log in your next post/reply.
MalWare Removal University Master
Member of ASAP
Posted Image

#9 User is offline   Paisley Panda 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 15-March 11

Posted 27 March 2011 - 10:43 AM

Hi, I've followed all of your steps and attach the malware bytes log.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6183

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

27/03/2011 16:29:24
mbam-log-2011-03-27 (16-29-24).txt

Scan type: Quick scan
Objects scanned: 198934
Time elapsed: 6 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\xceedftp0.dll (Trojan.FakeMS) -> Quarantined and deleted successfully.

#10 User is offline   km2357 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 1,748
  • Joined: 13-January 08
  • Gender:Male
  • Location:California

Posted 27 March 2011 - 12:05 PM

Step # 1 Update Adobe Acrobat Reader

There is a newer version of Adobe Acrobat Reader available. (See Note below)

  • First, go to Add/Remove Programs and uninstall Adobe Reader 8.1.4.
  • Please go to this link Adobe Acrobat Reader Download Link
  • On the right Untick McAfee® Security Scan Plus if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts


Note: Adobe Reader X is a large program and if you prefer a smaller program you can get Foxit 4.3.1 instead from http://www.foxitsoftware.com/downloads/index.php

If you decide to install Foxit 4.3.1 instead of Adobe, do the following during Foxit's Setup/Installation process:

Uncheck the following boxes:

I accept the License Terms and want to install Foxit Toolbar

Make Ask.com my default search

Create desktop, quick launch and start menu icon to eBay



Step # 2 Run ESET

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Make sure that Remove found threats is unchecked
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image



In your next post/reply, I need to see the following:

1. ESET Log
2. A fresh DDS Log
3. How is your computer doing, any problems?
MalWare Removal University Master
Member of ASAP
Posted Image

#11 User is offline   km2357 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 1,748
  • Joined: 13-January 08
  • Gender:Male
  • Location:California

Posted 30 March 2011 - 01:23 PM

Paisley Panda? How are things coming along?
MalWare Removal University Master
Member of ASAP
Posted Image

#12 User is offline   Paisley Panda 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 15-March 11

Posted 30 March 2011 - 04:03 PM

Sorry for the delay.

I wasn't able to download the Adobe Reader. There was a problem when it asked me to ok ActiveX. Any time I clicked yes to accept, the tab would refresh saying that there was a problem with the site and the tab was being recovered. I tried it over a few days, with the same results.

The foxit software downloaded without any problems.

I then couldn't run the ESET scan. Same sort of problem as with Adobe. After accepting terms and clicking yes I get the ActiveX bar at the top, when I click to accept I get returned to the terms of use page. The same thing happens over and over again.

#13 User is offline   km2357 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 1,748
  • Joined: 13-January 08
  • Gender:Male
  • Location:California

Posted 30 March 2011 - 11:26 PM

Ok, we'll try a different online scanner than ESET. :)


Step # 1: Run Panda Online Scan

Run Panda's ActiveScan from here and perform a full system scan.
- Once you are on the Panda site click the "Scan your PC" button
- A new window will open...click the big "Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on "Local Disks" to start the scan
- Save the log file to your desktop


Post the Panda Log in your next reply/post.


1. Panda Log
2. A fresh DDS Log
3. How is your computer doing, any problems?
MalWare Removal University Master
Member of ASAP
Posted Image

#14 User is offline   Paisley Panda 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 15-March 11

Posted 31 March 2011 - 03:57 PM

Again, that scan won't work. There seems to be a problem any time there's an ActiveX add on. When I click the tab I get a message that there's been a problem with the webpage that has caused IE to close down and that the tab has been recovered.

Any ideas?

#15 User is offline   km2357 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 1,748
  • Joined: 13-January 08
  • Gender:Male
  • Location:California

Posted 31 March 2011 - 05:26 PM

Try this and see if it works:

Open up Internet Explorer, then click Tools > Internet Options > Advanced > and uncheck the “Enable memory protection to help mitigate online attacks” option.

Then click Ok/Apply and see if you can get either the Panda or ESET scan to run.

If you can run one of them and post its log, plus a DDS log and tell how your computer is doing in your next post/reply.
MalWare Removal University Master
Member of ASAP
Posted Image

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users