Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

computer issues


  • This topic is locked This topic is locked
24 replies to this topic

#1 fscguy

fscguy

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 17 November 2008 - 08:56 PM

My computer is running extremely slow. I can't move between tabs in firefox unless i go to another program and come back.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:54:20 PM, on 11/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\OpenSA\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\OpenSA\Apache2\bin\Apache.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\StreamingStar\HiDownload\HiDownload.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5080610
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5080610
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [\\MAIN\EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P37 "\\MAIN\EPSON Stylus Photo R320 Series" /O6 "USB002" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R320 Series on MAIN] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P43 "Auto EPSON Stylus Photo R320 Series on MAIN" /O13 "\\MAIN\EPSON1" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: check-ip-changed.bat
O4 - Startup: MEMonitor.lnk = C:\Program Files\Sprint music manager\MEMonitor.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all by NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\StreamingStar\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Program Files\StreamingStar\HiDownload\HDGet.htm
O8 - Extra context menu item: Download by NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Extract Flash Video with Bytescout... - {F7DC590B-B6AD-4F7D-A778-7954A6D15B7F} - C:\Program Files\Bytescout Movies Extractor Scout\flashextract_ie.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\StreamingStar\HiDownload\hidownload.exe (HKCU)
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {7E9522CF-6B95-46D6-8E2F-7638F507313F} (BLS_SpeedOP.systemcheck) - http://www.fastaccess.drivers.bellsouth.ne...bls_speedop.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: McAfee Application Installer Cleanup (0264041226929432) (0264041226929432mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\026404~1.EXE
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apache2 - Apache Software Foundation - C:\OpenSA\Apache2\bin\Apache.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DellAMBrokerService - Unknown owner - C:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10717 bytes

BC AdBot (Login to Remove)

 


#2 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:05:51 PM

Posted 04 December 2008 - 08:43 PM

Hello and welcome to BC

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

If you are still having a problem, and want us to analyze your information, please reply to this topic stating that you still need help and I will work with you on resolving your computer problems. If your problem has been resolved, please post a reply letting us know so we can close your topic.

Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, feel free to create a new one.

Once again, I apologize for the delay in responding to this topic.

Regards
SNOWHITE
Posted Image

#3 fscguy

fscguy
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 04 December 2008 - 08:49 PM

i still need help

#4 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:05:51 PM

Posted 04 December 2008 - 10:05 PM

Hello again,

Please download DDS and save it to your desktop.

Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------

Please include the contents of the following in your next reply:

dds.txt

Attach the following report to your post by clicking the Manage Attachments button under Additonal Options>Attach Files on the composition page. Browse to where you saved the file, and click Upload.

File to upload: Attach.txt

Download gmer.zip and save to your desktop.
alternate download site 1
alternate download site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on "Settings", then check the first five settings:
    *System Protection and Tracing
    *Processes
    *Save created processes to the log
    *Drivers
    *Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Important! Please do not select the "Show all" checkbox during the scan..

Please post back with the requested reports.

Regards
SNOWHITE
Posted Image

#5 fscguy

fscguy
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 05 December 2008 - 06:42 PM

[attachment=9077:Attach.txt]

here is the gmer report

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-05 18:40:09
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

INT 0x01 \SystemRoot\system32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.)

B929D541
INT 0x03 \SystemRoot\system32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.)

B929D5E7

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

ZwCreateFile [0xB07809B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

ZwCreateKey [0xB0780A49]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

ZwCreateProcess [0xB078095D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

ZwCreateProcessEx [0xB0780976]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

ZwDeleteKey [0xB0780A5D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

ZwDeleteValueKey [0xB0780A89]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

ZwEnumerateKey [0xB0780AF7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

ZwEnumerateValueKey [0xB0780AE1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

ZwMapViewOfSection [0xB07809F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

ZwNotifyChangeKey [0xB0780B23]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

ZwOpenKey [0xB0780A35]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

ZwOpenProcess [0xB0780930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

ZwOpenThread [0xB0780944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

ZwProtectVirtualMemory [0xB07809C6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

ZwQueryKey [0xB0780B5F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

ZwQueryMultipleValueKey [0xB0780ACB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

ZwQueryValueKey [0xB0780AB5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

ZwRenameKey [0xB0780A73]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

ZwReplaceKey [0xB0780B4B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

ZwRestoreKey [0xB0780B37]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

ZwSetContextThread [0xB078099E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

ZwSetInformationProcess [0xB078098A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

ZwSetValueKey [0xB0780A9F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

ZwTerminateProcess [0xB0780A21]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

ZwUnloadKey [0xB0780B0D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

ZwUnmapViewOfSection [0xB0780A08]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

ZwYieldExecution [0xB07809DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwYieldExecution

80504AB0 7 Bytes JMP B07809E0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile

80577F8E 5 Bytes JMP B07809B6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection

805B0E36 7 Bytes JMP B07809F6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection

805B1C44 5 Bytes JMP B0780A0C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory

805B7216 7 Bytes JMP B07809CA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess

805CA150 5 Bytes JMP B0780934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread

805CA3DC 5 Bytes JMP B0780948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess

805CCB9A 5 Bytes JMP B078098E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx

805CFE70 7 Bytes JMP B078097A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess

805CFF26 5 Bytes JMP B0780961 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread

805D0430 5 Bytes JMP B07809A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess

805D167A 5 Bytes JMP B0780A25 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey

80620638 7 Bytes JMP B0780AB9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey

80620986 5 Bytes JMP B0780B3B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey

80620C3E 7 Bytes JMP B0780AA3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey

80620F06 7 Bytes JMP B0780B11 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey

8062174C 7 Bytes JMP B0780ACF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey

80621FA4 7 Bytes JMP B0780A77 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey

8062257E 5 Bytes JMP B0780A4D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey

80622A0E 7 Bytes JMP B0780A61 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey

80622BDE 7 Bytes JMP B0780A8D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey

80622DBE 7 Bytes JMP B0780AFB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey

80623028 7 Bytes JMP B0780AE5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey

80623914 5 Bytes JMP B0780A39 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey

80623C38 7 Bytes JMP B0780B63 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey

8062415E 5 Bytes JMP B0780B4F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey

80624278 5 Bytes JMP B0780B27 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\Explorer.EXE[256] kernel32.dll!CreateFileA

7C801A24 5 Bytes JMP 01960000
.text C:\WINDOWS\Explorer.EXE[256] kernel32.dll!VirtualProtectEx

7C801A5D 5 Bytes JMP 01960F52
.text C:\WINDOWS\Explorer.EXE[256] kernel32.dll!VirtualProtect

7C801AD0 5 Bytes JMP 01960F77
.text C:\WINDOWS\Explorer.EXE[256] kernel32.dll!LoadLibraryExW

7C801AF1 5 Bytes JMP 01960051
.text C:\WINDOWS\Explorer.EXE[256] kernel32.dll!LoadLibraryExA

7C801D4F 5 Bytes JMP 01960040
.text C:\WINDOWS\Explorer.EXE[256] kernel32.dll!LoadLibraryA

7C801D77 5 Bytes JMP 01960FAF
.text C:\WINDOWS\Explorer.EXE[256] kernel32.dll!GetStartupInfoW

7C801E50 5 Bytes JMP 01960F1A
.text C:\WINDOWS\Explorer.EXE[256] kernel32.dll!GetStartupInfoA

7C801EEE 5 Bytes JMP 01960F41
.text C:\WINDOWS\Explorer.EXE[256] kernel32.dll!CreateProcessW

7C802332 5 Bytes JMP 01960EF8
.text C:\WINDOWS\Explorer.EXE[256] kernel32.dll!CreateProcessA

7C802367 5 Bytes JMP 01960087
.text C:\WINDOWS\Explorer.EXE[256] kernel32.dll!GetProcAddress

7C80ADA0 5 Bytes JMP 01960EE7
.text C:\WINDOWS\Explorer.EXE[256] kernel32.dll!LoadLibraryW

7C80AE4B 5 Bytes JMP 01960F9E
.text C:\WINDOWS\Explorer.EXE[256] kernel32.dll!CreateFileW

7C810760 5 Bytes JMP 01960FE5
.text C:\WINDOWS\Explorer.EXE[256] kernel32.dll!CreatePipe

7C81E0C7 5 Bytes JMP 0196006C
.text C:\WINDOWS\Explorer.EXE[256] kernel32.dll!CreateNamedPipeW

7C82F0D4 5 Bytes JMP 01960FCA
.text C:\WINDOWS\Explorer.EXE[256] kernel32.dll!CreateNamedPipeA

7C85FC74 5 Bytes JMP 0196001B
.text C:\WINDOWS\Explorer.EXE[256] kernel32.dll!WinExec

7C86136D 5 Bytes JMP 01960F09
.text C:\WINDOWS\Explorer.EXE[256] ADVAPI32.dll!RegOpenKeyExW

77DD6A78 5 Bytes JMP 01940014
.text C:\WINDOWS\Explorer.EXE[256] ADVAPI32.dll!RegCreateKeyExW

77DD7535 5 Bytes JMP 01940F97
.text C:\WINDOWS\Explorer.EXE[256] ADVAPI32.dll!RegOpenKeyExA

77DD761B 5 Bytes JMP 01940FC3
.text C:\WINDOWS\Explorer.EXE[256] ADVAPI32.dll!RegOpenKeyW

77DD770F 5 Bytes JMP 01940FDE
.text C:\WINDOWS\Explorer.EXE[256] ADVAPI32.dll!RegCreateKeyExA

77DDEAF4 5 Bytes JMP 0194004A
.text C:\WINDOWS\Explorer.EXE[256] ADVAPI32.dll!RegCreateKeyW

77DF8F7D 5 Bytes JMP 01940FA8
.text C:\WINDOWS\Explorer.EXE[256] ADVAPI32.dll!RegOpenKeyA

77DFC41B 5 Bytes JMP 01940FEF
.text C:\WINDOWS\Explorer.EXE[256] ADVAPI32.dll!RegCreateKeyA

77DFD5BB 5 Bytes JMP 01940025
.text C:\WINDOWS\Explorer.EXE[256] WININET.dll!InternetOpenW

771BAED5 5 Bytes JMP 00ED001B
.text C:\WINDOWS\Explorer.EXE[256] WININET.dll!InternetOpenA

771C574E 5 Bytes JMP 00ED0000
.text C:\WINDOWS\Explorer.EXE[256] WININET.dll!InternetOpenUrlA

771C5A01 5 Bytes JMP 00ED0FD9
.text C:\WINDOWS\Explorer.EXE[256] WININET.dll!InternetOpenUrlW

771D5B4A 5 Bytes JMP 00ED0036
.text C:\WINDOWS\Explorer.EXE[256] WS2_32.dll!socket

71AB3B91 5 Bytes JMP 00E40FEF
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreateFileA

7C801A24 5 Bytes JMP 00990FE5
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!VirtualProtectEx

7C801A5D 5 Bytes JMP 00990F83
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!VirtualProtect

7C801AD0 5 Bytes JMP 00990078
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!LoadLibraryExW

7C801AF1 5 Bytes JMP 00990067
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!LoadLibraryExA

7C801D4F 5 Bytes JMP 0099004A
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!LoadLibraryA

7C801D77 5 Bytes JMP 00990FB2
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!GetStartupInfoW

7C801E50 5 Bytes JMP 00990F68
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!GetStartupInfoA

7C801EEE 5 Bytes JMP 009900A4
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreateProcessW

7C802332 5 Bytes JMP 00990F28
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreateProcessA

7C802367 5 Bytes JMP 00990F4D
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!GetProcAddress

7C80ADA0 5 Bytes JMP 009900DC
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!LoadLibraryW

7C80AE4B 5 Bytes JMP 00990039
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreateFileW

7C810760 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreatePipe

7C81E0C7 5 Bytes JMP 00990089
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreateNamedPipeW

7C82F0D4 5 Bytes JMP 00990FC3
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreateNamedPipeA

7C85FC74 5 Bytes JMP 00990FD4
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!WinExec

7C86136D 5 Bytes JMP 009900CB
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegOpenKeyExW

77DD6A78 5 Bytes JMP 0098002C
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegCreateKeyExW

77DD7535 5 Bytes JMP 00980051
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegOpenKeyExA

77DD761B 5 Bytes JMP 0098001B
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegOpenKeyW

77DD770F 5 Bytes JMP 00980FE5
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegCreateKeyExA

77DDEAF4 5 Bytes JMP 00980F94
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegCreateKeyW

77DF8F7D 5 Bytes JMP 00980FA5
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegOpenKeyA

77DFC41B 5 Bytes JMP 00980000
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegCreateKeyA

77DFD5BB 5 Bytes JMP 00980FC0
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[784] kernel32.dll!LoadLibraryA

7C801D77 5 Bytes JMP 0041C170 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[784] kernel32.dll!LoadLibraryW

7C80AE4B 5 Bytes JMP 0041C1F0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!CreateFileA

7C801A24 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!VirtualProtectEx

7C801A5D 5 Bytes JMP 0093006E
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!VirtualProtect

7C801AD0 5 Bytes JMP 00930053
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!LoadLibraryExW

7C801AF1 5 Bytes JMP 00930F79
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!LoadLibraryExA

7C801D4F 5 Bytes JMP 00930036
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!LoadLibraryA

7C801D77 5 Bytes JMP 00930025
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!GetStartupInfoW

7C801E50 5 Bytes JMP 00930090
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!GetStartupInfoA

7C801EEE 5 Bytes JMP 0093007F
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!CreateProcessW

7C802332 5 Bytes JMP 00930F23
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!CreateProcessA

7C802367 5 Bytes JMP 009300C6
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!GetProcAddress

7C80ADA0 5 Bytes JMP 00930F12
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!LoadLibraryW

7C80AE4B 5 Bytes JMP 00930F94
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!CreateFileW

7C810760 5 Bytes JMP 00930FDB
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!CreatePipe

7C81E0C7 5 Bytes JMP 00930F5E
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!CreateNamedPipeW

7C82F0D4 5 Bytes JMP 00930FB9
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!CreateNamedPipeA

7C85FC74 5 Bytes JMP 00930FCA
.text C:\WINDOWS\system32\services.exe[1064] kernel32.dll!WinExec

7C86136D 5 Bytes JMP 009300AB
.text C:\WINDOWS\system32\services.exe[1064] ADVAPI32.dll!RegOpenKeyExW

77DD6A78 5 Bytes JMP 00920FC3
.text C:\WINDOWS\system32\services.exe[1064] ADVAPI32.dll!RegCreateKeyExW

77DD7535 5 Bytes JMP 0092006F
.text C:\WINDOWS\system32\services.exe[1064] ADVAPI32.dll!RegOpenKeyExA

77DD761B 5 Bytes JMP 00920FD4
.text C:\WINDOWS\system32\services.exe[1064] ADVAPI32.dll!RegOpenKeyW

77DD770F 5 Bytes JMP 00920FEF
.text C:\WINDOWS\system32\services.exe[1064] ADVAPI32.dll!RegCreateKeyExA

77DDEAF4 5 Bytes JMP 00920FA8
.text C:\WINDOWS\system32\services.exe[1064] ADVAPI32.dll!RegCreateKeyW

77DF8F7D 5 Bytes JMP 0092004A
.text C:\WINDOWS\system32\services.exe[1064] ADVAPI32.dll!RegOpenKeyA

77DFC41B 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\services.exe[1064] ADVAPI32.dll!RegCreateKeyA

77DFD5BB 5 Bytes JMP 0092002F
.text C:\WINDOWS\system32\services.exe[1064] WS2_32.dll!socket

71AB3B91 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!CreateFileA

7C801A24 5 Bytes JMP 00F40000
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!VirtualProtectEx

7C801A5D 5 Bytes JMP 00F40F88
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!VirtualProtect

7C801AD0 5 Bytes JMP 00F40087
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!LoadLibraryExW

7C801AF1 5 Bytes JMP 00F40FB9
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!LoadLibraryExA

7C801D4F 5 Bytes JMP 00F40FCA
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!LoadLibraryA

7C801D77 5 Bytes JMP 00F4005B
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!GetStartupInfoW

7C801E50 5 Bytes JMP 00F40F49
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!GetStartupInfoA

7C801EEE 5 Bytes JMP 00F40F66
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!CreateProcessW

7C802332 5 Bytes JMP 00F40F1D
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!CreateProcessA

7C802367 5 Bytes JMP 00F40F2E
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!GetProcAddress

7C80ADA0 5 Bytes JMP 00F400D1
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!LoadLibraryW

7C80AE4B 5 Bytes JMP 00F4006C
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!CreateFileW

7C810760 5 Bytes JMP 00F4001B
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!CreatePipe

7C81E0C7 5 Bytes JMP 00F40F77
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!CreateNamedPipeW

7C82F0D4 5 Bytes JMP 00F40040
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!CreateNamedPipeA

7C85FC74 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\system32\lsass.exe[1076] kernel32.dll!WinExec

7C86136D 5 Bytes JMP 00F400AC
.text C:\WINDOWS\system32\lsass.exe[1076] ADVAPI32.dll!RegOpenKeyExW

77DD6A78 5 Bytes JMP 00F30025
.text C:\WINDOWS\system32\lsass.exe[1076] ADVAPI32.dll!RegCreateKeyExW

77DD7535 5 Bytes JMP 00F30062
.text C:\WINDOWS\system32\lsass.exe[1076] ADVAPI32.dll!RegOpenKeyExA

77DD761B 5 Bytes JMP 00F30FD4
.text C:\WINDOWS\system32\lsass.exe[1076] ADVAPI32.dll!RegOpenKeyW

77DD770F 5 Bytes JMP 00F30FE5
.text C:\WINDOWS\system32\lsass.exe[1076] ADVAPI32.dll!RegCreateKeyExA

77DDEAF4 5 Bytes JMP 00F30FA5
.text C:\WINDOWS\system32\lsass.exe[1076] ADVAPI32.dll!RegCreateKeyW

77DF8F7D 5 Bytes JMP 00F30047
.text C:\WINDOWS\system32\lsass.exe[1076] ADVAPI32.dll!RegOpenKeyA

77DFC41B 5 Bytes JMP 00F30000
.text C:\WINDOWS\system32\lsass.exe[1076] ADVAPI32.dll!RegCreateKeyA

77DFD5BB 5 Bytes JMP 00F30036
.text C:\WINDOWS\system32\lsass.exe[1076] WS2_32.dll!socket

71AB3B91 5 Bytes JMP 00E40000
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateFileA

7C801A24 5 Bytes JMP 00D80FE5
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!VirtualProtectEx

7C801A5D 5 Bytes JMP 00D80F77
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!VirtualProtect

7C801AD0 5 Bytes JMP 00D8006C
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryExW

7C801AF1 5 Bytes JMP 00D80051
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryExA

7C801D4F 5 Bytes JMP 00D80F94
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryA

7C801D77 5 Bytes JMP 00D80025
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetStartupInfoW

7C801E50 5 Bytes JMP 00D80098
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetStartupInfoA

7C801EEE 5 Bytes JMP 00D80087
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateProcessW

7C802332 5 Bytes JMP 00D800CE
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateProcessA

7C802367 5 Bytes JMP 00D80F35
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetProcAddress

7C80ADA0 5 Bytes JMP 00D800DF
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryW

7C80AE4B 5 Bytes JMP 00D80040
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateFileW

7C810760 5 Bytes JMP 00D80FCA
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreatePipe

7C81E0C7 5 Bytes JMP 00D80F5C
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateNamedPipeW

7C82F0D4 5 Bytes JMP 00D80000
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateNamedPipeA

7C85FC74 5 Bytes JMP 00D80FAF
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!WinExec

7C86136D 5 Bytes JMP 00D800B3
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyExW

77DD6A78 5 Bytes JMP 00D70FC7
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyExW

77DD7535 5 Bytes JMP 00D70F80
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyExA

77DD761B 5 Bytes JMP 00D70022
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyW

77DD770F 5 Bytes JMP 00D70011
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyExA

77DDEAF4 5 Bytes JMP 00D70F91
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyW

77DF8F7D 5 Bytes JMP 00D70033
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyA

77DFC41B 5 Bytes JMP 00D70000
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyA

77DFD5BB 5 Bytes JMP 00D70FAC
.text C:\WINDOWS\system32\svchost.exe[1244] WS2_32.dll!socket

71AB3B91 5 Bytes JMP 00D50000
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateFileA

7C801A24 5 Bytes JMP 00A80FEF
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!VirtualProtectEx

7C801A5D 5 Bytes JMP 00A80F80
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!VirtualProtect

7C801AD0 5 Bytes JMP 00A80F91
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!LoadLibraryExW

7C801AF1 5 Bytes JMP 00A80FAC
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!LoadLibraryExA

7C801D4F 5 Bytes JMP 00A80069
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!LoadLibraryA

7C801D77 5 Bytes JMP 00A80047
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!GetStartupInfoW

7C801E50 5 Bytes JMP 00A80F52
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!GetStartupInfoA

7C801EEE 5 Bytes JMP 00A80F63
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateProcessW

7C802332 5 Bytes JMP 00A800DA
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateProcessA

7C802367 5 Bytes JMP 00A80F41
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!GetProcAddress

7C80ADA0 5 Bytes JMP 00A80F30
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!LoadLibraryW

7C80AE4B 5 Bytes JMP 00A80058
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateFileW

7C810760 5 Bytes JMP 00A80000
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreatePipe

7C81E0C7 5 Bytes JMP 00A8009A
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateNamedPipeW

7C82F0D4 5 Bytes JMP 00A8002C
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateNamedPipeA

7C85FC74 5 Bytes JMP 00A80011
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!WinExec

7C86136D 5 Bytes JMP 00A800BF
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyExW

77DD6A78 5 Bytes JMP 00A70011
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyExW

77DD7535 5 Bytes JMP 00A70F8A
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyExA

77DD761B 5 Bytes JMP 00A70FC0
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyW

77DD770F 5 Bytes JMP 00A70000
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyExA

77DDEAF4 5 Bytes JMP 00A70F9B
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyW

77DF8F7D 5 Bytes JMP 00A7003D
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyA

77DFC41B 5 Bytes JMP 00A70FE5
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyA

77DFD5BB 5 Bytes JMP 00A70022
.text C:\WINDOWS\system32\svchost.exe[1304] WS2_32.dll!socket

71AB3B91 5 Bytes JMP 00A50000
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!CreateFileA

7C801A24 5 Bytes JMP 059C0FEF
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!VirtualProtectEx

7C801A5D 5 Bytes JMP 059C0047
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!VirtualProtect

7C801AD0 5 Bytes JMP 059C0036
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!LoadLibraryExW

7C801AF1 5 Bytes JMP 059C0F5C
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!LoadLibraryExA

7C801D4F 5 Bytes JMP 059C0F83
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!LoadLibraryA

7C801D77 5 Bytes JMP 059C0F9E
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!GetStartupInfoW

7C801E50 5 Bytes JMP 059C009A
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!GetStartupInfoA

7C801EEE 5 Bytes JMP 059C0073
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!CreateProcessW

7C802332 5 Bytes JMP 059C00C6
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!CreateProcessA

7C802367 5 Bytes JMP 059C00AB
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!GetProcAddress

7C80ADA0 5 Bytes JMP 059C0F08
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!LoadLibraryW

7C80AE4B 5 Bytes JMP 059C001B
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!CreateFileW

7C810760 5 Bytes JMP 059C0000
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!CreatePipe

7C81E0C7 5 Bytes JMP 059C0062
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!CreateNamedPipeW

7C82F0D4 5 Bytes JMP 059C0FAF
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!CreateNamedPipeA

7C85FC74 5 Bytes JMP 059C0FCA
.text C:\WINDOWS\System32\svchost.exe[1352] kernel32.dll!WinExec

7C86136D 5 Bytes JMP 059C0F37
.text C:\WINDOWS\System32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyExW

77DD6A78 5 Bytes JMP 059B0FC0
.text C:\WINDOWS\System32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyExW

77DD7535 5 Bytes JMP 059B0F8A
.text C:\WINDOWS\System32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyExA

77DD761B 5 Bytes JMP 059B001B
.text C:\WINDOWS\System32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyW

77DD770F 5 Bytes JMP 059B000A
.text C:\WINDOWS\System32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyExA

77DDEAF4 5 Bytes JMP 059B0047
.text C:\WINDOWS\System32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyW

77DF8F7D 5 Bytes JMP 059B0036
.text C:\WINDOWS\System32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyA

77DFC41B 5 Bytes JMP 059B0FEF
.text C:\WINDOWS\System32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyA

77DFD5BB 5 Bytes JMP 059B0FAF
.text C:\WINDOWS\System32\svchost.exe[1352] WS2_32.dll!socket

71AB3B91 5 Bytes JMP 05980000
.text C:\WINDOWS\System32\svchost.exe[1352] WININET.dll!InternetOpenW

771BAED5 5 Bytes JMP 05990FCA
.text C:\WINDOWS\System32\svchost.exe[1352] WININET.dll!InternetOpenA

771C574E 5 Bytes JMP 05990FEF
.text C:\WINDOWS\System32\svchost.exe[1352] WININET.dll!InternetOpenUrlA

771C5A01 5 Bytes JMP 05990FB9
.text C:\WINDOWS\System32\svchost.exe[1352] WININET.dll!InternetOpenUrlW

771D5B4A 5 Bytes JMP 05990F9C
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateFileA

7C801A24 5 Bytes JMP 00980FE5
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!VirtualProtectEx

7C801A5D 5 Bytes JMP 0098004A
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!VirtualProtect

7C801AD0 5 Bytes JMP 00980039
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!LoadLibraryExW

7C801AF1 5 Bytes JMP 00980F61
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!LoadLibraryExA

7C801D4F 5 Bytes JMP 00980014
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!LoadLibraryA

7C801D77 5 Bytes JMP 00980F8D
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!GetStartupInfoW

7C801E50 5 Bytes JMP 00980076
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!GetStartupInfoA

7C801EEE 5 Bytes JMP 00980065
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateProcessW

7C802332 5 Bytes JMP 009800A9
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateProcessA

7C802367 5 Bytes JMP 00980098
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!GetProcAddress

7C80ADA0 5 Bytes JMP 009800C4
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!LoadLibraryW

7C80AE4B 5 Bytes JMP 00980F72
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateFileW

7C810760 5 Bytes JMP 00980FCA
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreatePipe

7C81E0C7 5 Bytes JMP 00980F3A
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateNamedPipeW

7C82F0D4 5 Bytes JMP 00980F9E
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateNamedPipeA

7C85FC74 5 Bytes JMP 00980FAF
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!WinExec

7C86136D 5 Bytes JMP 00980087
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyExW

77DD6A78 5 Bytes JMP 00970FB9
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyExW

77DD7535 5 Bytes JMP 00970F79
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyExA

77DD761B 5 Bytes JMP 00970FCA
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyW

77DD770F 5 Bytes JMP 00970FE5
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyExA

77DDEAF4 5 Bytes JMP 00970040
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyW

77DF8F7D 5 Bytes JMP 00970F9E
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyA

77DFC41B 5 Bytes JMP 00970000
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyA

77DFD5BB 5 Bytes JMP 00970025
.text C:\WINDOWS\system32\svchost.exe[1480] WS2_32.dll!socket

71AB3B91 5 Bytes JMP 00950000
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateFileA

7C801A24 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!VirtualProtectEx

7C801A5D 5 Bytes JMP 00B7007F
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!VirtualProtect

7C801AD0 5 Bytes JMP 00B70F80
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!LoadLibraryExW

7C801AF1 5 Bytes JMP 00B70F91
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!LoadLibraryExA

7C801D4F 5 Bytes JMP 00B7004E
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!LoadLibraryA

7C801D77 5 Bytes JMP 00B7002C
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!GetStartupInfoW

7C801E50 5 Bytes JMP 00B700BC
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!GetStartupInfoA

7C801EEE 5 Bytes JMP 00B700A1
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateProcessW

7C802332 5 Bytes JMP 00B700D7
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateProcessA

7C802367 5 Bytes JMP 00B70F3E
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!GetProcAddress

7C80ADA0 5 Bytes JMP 00B70F2D
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!LoadLibraryW

7C80AE4B 5 Bytes JMP 00B7003D
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateFileW

7C810760 5 Bytes JMP 00B70FDB
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreatePipe

7C81E0C7 5 Bytes JMP 00B70090
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateNamedPipeW

7C82F0D4 5 Bytes JMP 00B7001B
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateNamedPipeA

7C85FC74 5 Bytes JMP 00B70FCA
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!WinExec

7C86136D 5 Bytes JMP 00B70F59
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyExW

77DD6A78 5 Bytes JMP 00B60F9E
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyExW

77DD7535 5 Bytes JMP 00B60F57
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyExA

77DD761B 5 Bytes JMP 00B60FB9
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyW

77DD770F 5 Bytes JMP 00B60FDE
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyExA

77DDEAF4 5 Bytes JMP 00B60014
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyW

77DF8F7D 5 Bytes JMP 00B60F7C
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyA

77DFC41B 5 Bytes JMP 00B60FEF
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyA

77DFD5BB 5 Bytes JMP 00B60F8D
.text C:\WINDOWS\system32\svchost.exe[1504] WS2_32.dll!socket

71AB3B91 5 Bytes JMP 00B30FEF
.text C:\WINDOWS\system32\svchost.exe[1504] WININET.dll!InternetOpenW

771BAED5 5 Bytes JMP 00B4001B
.text C:\WINDOWS\system32\svchost.exe[1504] WININET.dll!InternetOpenA

771C574E 5 Bytes JMP 00B4000A
.text C:\WINDOWS\system32\svchost.exe[1504] WININET.dll!InternetOpenUrlA

771C5A01 5 Bytes JMP 00B40036
.text C:\WINDOWS\system32\svchost.exe[1504] WININET.dll!InternetOpenUrlW

771D5B4A 5 Bytes JMP 00B40FE5
.text C:\Program Files\TimeLeft3\TimeLeft.exe[3712] user32.dll!GetSysColor

7E418E78 5 Bytes JMP 0049CFBC C:\Program Files\TimeLeft3\TimeLeft.exe (TimeLeft/NesterSoft Inc.)
.text C:\Program Files\TimeLeft3\TimeLeft.exe[3712] user32.dll!GetSysColorBrush

7E418EAB 5 Bytes JMP 0049D020 C:\Program Files\TimeLeft3\TimeLeft.exe (TimeLeft/NesterSoft Inc.)
.text C:\WINDOWS\system32\wuauclt.exe[4480] kernel32.dll!CreateFileA

7C801A24 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\wuauclt.exe[4480] kernel32.dll!VirtualProtectEx

7C801A5D 5 Bytes JMP 001B00A4
.text C:\WINDOWS\system32\wuauclt.exe[4480] kernel32.dll!VirtualProtect

7C801AD0 5 Bytes JMP 001B0089
.text C:\WINDOWS\system32\wuauclt.exe[4480] kernel32.dll!LoadLibraryExW

7C801AF1 5 Bytes JMP 001B006C
.text C:\WINDOWS\system32\wuauclt.exe[4480] kernel32.dll!LoadLibraryExA

7C801D4F 5 Bytes JMP 001B005B
.text C:\WINDOWS\system32\wuauclt.exe[4480] kernel32.dll!LoadLibraryA

7C801D77 5 Bytes JMP 001B0036
.text C:\WINDOWS\system32\wuauclt.exe[4480] kernel32.dll!GetStartupInfoW

7C801E50 5 Bytes JMP 001B00E6
.text C:\WINDOWS\system32\wuauclt.exe[4480] kernel32.dll!GetStartupInfoA

7C801EEE 5 Bytes JMP 001B0F94
.text C:\WINDOWS\system32\wuauclt.exe[4480] kernel32.dll!CreateProcessW

7C802332 5 Bytes JMP 001B0F68
.text C:\WINDOWS\system32\wuauclt.exe[4480] kernel32.dll!CreateProcessA

7C802367 5 Bytes JMP 001B010B
.text C:\WINDOWS\system32\wuauclt.exe[4480] kernel32.dll!GetProcAddress

7C80ADA0 5 Bytes JMP 001B0F57
.text C:\WINDOWS\system32\wuauclt.exe[4480] kernel32.dll!LoadLibraryW

7C80AE4B 5 Bytes JMP 001B0FAF
.text C:\WINDOWS\system32\wuauclt.exe[4480] kernel32.dll!CreateFileW

7C810760 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[4480] kernel32.dll!CreatePipe

7C81E0C7 5 Bytes JMP 001B00BF
.text C:\WINDOWS\system32\wuauclt.exe[4480] kernel32.dll!CreateNamedPipeW

7C82F0D4 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\system32\wuauclt.exe[4480] kernel32.dll!CreateNamedPipeA

7C85FC74 5 Bytes JMP 001B0025
.text C:\WINDOWS\system32\wuauclt.exe[4480] kernel32.dll!WinExec

7C86136D 5 Bytes JMP 001B0F83
.text C:\WINDOWS\system32\wuauclt.exe[4480] ADVAPI32.dll!RegOpenKeyExW

77DD6A78 5 Bytes JMP 002B0FB9
.text C:\WINDOWS\system32\wuauclt.exe[4480] ADVAPI32.dll!RegCreateKeyExW

77DD7535 5 Bytes JMP 002B0F72
.text C:\WINDOWS\system32\wuauclt.exe[4480] ADVAPI32.dll!RegOpenKeyExA

77DD761B 5 Bytes JMP 002B0FCA
.text C:\WINDOWS\system32\wuauclt.exe[4480] ADVAPI32.dll!RegOpenKeyW

77DD770F 5 Bytes JMP 002B0000
.text C:\WINDOWS\system32\wuauclt.exe[4480] ADVAPI32.dll!RegCreateKeyExA

77DDEAF4 5 Bytes JMP 002B002F
.text C:\WINDOWS\system32\wuauclt.exe[4480] ADVAPI32.dll!RegCreateKeyW

77DF8F7D 5 Bytes JMP 002B0F8D
.text C:\WINDOWS\system32\wuauclt.exe[4480] ADVAPI32.dll!RegOpenKeyA

77DFC41B 5 Bytes JMP 002B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[4480] ADVAPI32.dll!RegCreateKeyA

77DFD5BB 5 Bytes JMP 002B0FA8
.text C:\WINDOWS\system32\wuauclt.exe[5896] kernel32.dll!CreateFileA

7C801A24 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\wuauclt.exe[5896] kernel32.dll!VirtualProtectEx

7C801A5D 5 Bytes JMP 001B006E
.text C:\WINDOWS\system32\wuauclt.exe[5896] kernel32.dll!VirtualProtect

7C801AD0 5 Bytes JMP 001B005D
.text C:\WINDOWS\system32\wuauclt.exe[5896] kernel32.dll!LoadLibraryExW

7C801AF1 5 Bytes JMP 001B0F83
.text C:\WINDOWS\system32\wuauclt.exe[5896] kernel32.dll!LoadLibraryExA

7C801D4F 5 Bytes JMP 001B0040
.text C:\WINDOWS\system32\wuauclt.exe[5896] kernel32.dll!LoadLibraryA

7C801D77 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\system32\wuauclt.exe[5896] kernel32.dll!GetStartupInfoW

7C801E50 5 Bytes JMP 001B009C
.text C:\WINDOWS\system32\wuauclt.exe[5896] kernel32.dll!GetStartupInfoA

7C801EEE 5 Bytes JMP 001B007F
.text C:\WINDOWS\system32\wuauclt.exe[5896] kernel32.dll!CreateProcessW

7C802332 5 Bytes JMP 001B00D2
.text C:\WINDOWS\system32\wuauclt.exe[5896] kernel32.dll!CreateProcessA

7C802367 5 Bytes JMP 001B00C1
.text C:\WINDOWS\system32\wuauclt.exe[5896] kernel32.dll!GetProcAddress

7C80ADA0 5 Bytes JMP 001B00E3
.text C:\WINDOWS\system32\wuauclt.exe[5896] kernel32.dll!LoadLibraryW

7C80AE4B 5 Bytes JMP 001B0FA8
.text C:\WINDOWS\system32\wuauclt.exe[5896] kernel32.dll!CreateFileW

7C810760 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[5896] kernel32.dll!CreatePipe

7C81E0C7 5 Bytes JMP 001B0F54
.text C:\WINDOWS\system32\wuauclt.exe[5896] kernel32.dll!CreateNamedPipeW

7C82F0D4 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\wuauclt.exe[5896] kernel32.dll!CreateNamedPipeA

7C85FC74 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\system32\wuauclt.exe[5896] kernel32.dll!WinExec

7C86136D 5 Bytes JMP 001B0F39
.text C:\WINDOWS\system32\wuauclt.exe[5896] ADVAPI32.dll!RegOpenKeyExW

77DD6A78 5 Bytes JMP 002B0FB2
.text C:\WINDOWS\system32\wuauclt.exe[5896] ADVAPI32.dll!RegCreateKeyExW

77DD7535 5 Bytes JMP 002B0F83
.text C:\WINDOWS\system32\wuauclt.exe[5896] ADVAPI32.dll!RegOpenKeyExA

77DD761B 5 Bytes JMP 002B0FCD
.text C:\WINDOWS\system32\wuauclt.exe[5896] ADVAPI32.dll!RegOpenKeyW

77DD770F 5 Bytes JMP 002B0FDE
.text C:\WINDOWS\system32\wuauclt.exe[5896] ADVAPI32.dll!RegCreateKeyExA

77DDEAF4 5 Bytes JMP 002B0040
.text C:\WINDOWS\system32\wuauclt.exe[5896] ADVAPI32.dll!RegCreateKeyW

77DF8F7D 5 Bytes JMP 002B0025
.text C:\WINDOWS\system32\wuauclt.exe[5896] ADVAPI32.dll!RegOpenKeyA

77DFC41B 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[5896] ADVAPI32.dll!RegCreateKeyA

77DFD5BB 5 Bytes JMP 002B0014
.text C:\WINDOWS\system32\wuauclt.exe[5896] WS2_32.dll!socket

71AB3B91 5 Bytes JMP 003C0000

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW]

[6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\USER32.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\GDI32.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW]

[6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW]

[6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\ADVAPI32.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\RPCRT4.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\Secur32.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\SHLWAPI.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA]

[6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW]

[6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\WS2_32.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\WS2HELP.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\SHELL32.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW]

[6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA]

[6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW]

[6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA]

[6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\psapi.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\psapi.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\NETAPI32.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryExA]

[6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[344] @ C:\WINDOWS\system32\userenv.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs

mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip

Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp

Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp

Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp

Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat

AC47EC8A

AttachedDevice \FileSystem\Fastfat \Fat

mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.14 ----

#6 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:05:51 PM

Posted 05 December 2008 - 07:19 PM

Hello,

Please also post dds.txt, if you haven't already saved it on desktop, just rerun DDS and post the first log it produce, you will need to save it to your desktop.

Also please do not alter the reports, just post them as they originally are produced, don't put extra empty line between entries. Before posting the reports here please also open notepad click on Format, make sure that there is no check mark next to Word Wrap. Thank you :thumbsup:

Regards
SNOWHITE
Posted Image

#7 fscguy

fscguy
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 05 December 2008 - 07:24 PM

here is the dds[attachment=9079:DDS.txt]

#8 fscguy

fscguy
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 07 December 2008 - 09:45 PM

do you need another report?

#9 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:05:51 PM

Posted 09 December 2008 - 10:44 PM

do you need another report?

Hello, sorry for the delay,

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.

    J2SE Runtime Environment 5.0 Update 6
    Java™ 6 Update 7

  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
Could you please also run Kaspersky online scan:

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
If you are having problem with Kaspersky, try next one:

Run online scan with the ESET Online Scanner
Note: You need to use Internet Explorer
  • Place a checkmark at the box next to YES, I accept the Terms of Use.
  • Click on the Start button.
  • Allow the ActiveX control to install.
  • Click on the Start button.
  • Place a checkmark next to Remove found threats and Scan unwanted applications, then click on Scan
  • When the scan is done close the Internet Explorer.
  • Click Start>Run, into the Run box paste this filepath:
    • %ProgramFiles%\EsetOnlineScanner\log.txt
  • Press OK button.
  • The report from the scan will be opened in Notepad, copy and paste the results as a reply to this topic.
Post also fresh HijackThis log, also let me know what kind of problems are you experiencing with the computer.

Regards

Edited by SNOWHITE, 09 December 2008 - 10:53 PM.

SNOWHITE
Posted Image

#10 fscguy

fscguy
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 12 December 2008 - 08:33 PM

here is the online scan report

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, December 12, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, December 12, 2008 21:04:33
Records in database: 1455936
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 82980
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:10:29

No malware has been detected. The scan area is clean.

The selected area was scanned.



here is the hijack file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:32:40 PM, on 12/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AGI\common\win32\PythonService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\OpenSA\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\OpenSA\Apache2\bin\Apache.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\RTHDCPL.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Sprint music manager\MEMonitor.exe
C:\Program Files\TimeLeft3\TimeLeft.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5080610
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5080610
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AGSearchHook Class - {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - C:\Program Files\AGI\common\agcutils.dll
O2 - BHO: AGSearchHook Class - {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - C:\Program Files\AGI\common\agcutils.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [\\MAIN\EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P37 "\\MAIN\EPSON Stylus Photo R320 Series" /O6 "USB002" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R320 Series on MAIN] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P43 "Auto EPSON Stylus Photo R320 Series on MAIN" /O13 "\\MAIN\EPSON1" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Eyeball Chat] "C:\PROGRA~1\Eyeball\EYEBAL~1\EyeballChat.exe" -min
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: check-ip-changed.bat
O4 - Startup: MEMonitor.lnk = C:\Program Files\Sprint music manager\MEMonitor.exe
O4 - Startup: TimeLeft.lnk = C:\Program Files\TimeLeft3\TimeLeft.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all by NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\StreamingStar\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Program Files\StreamingStar\HiDownload\HDGet.htm
O8 - Extra context menu item: Download by NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Extract Flash Video with Bytescout... - {F7DC590B-B6AD-4F7D-A778-7954A6D15B7F} - C:\Program Files\Bytescout Movies Extractor Scout\flashextract_ie.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\StreamingStar\HiDownload\hidownload.exe (HKCU)
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {7E9522CF-6B95-46D6-8E2F-7638F507313F} (BLS_SpeedOP.systemcheck) - http://www.fastaccess.drivers.bellsouth.ne...bls_speedop.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: McAfee Application Installer Cleanup (0312231229078261) (0312231229078261mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\031223~1.EXE
O23 - Service: AG Windows Service (AGWinService) - Unknown owner - C:\Program Files\AGI\common\win32\PythonService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apache2 - Apache Software Foundation - C:\OpenSA\Apache2\bin\Apache.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DellAMBrokerService - Unknown owner - C:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12215 bytes



I am still having issue being able to click things. I have to change to another program and come back before i can click on things sometimes.

#11 fscguy

fscguy
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 13 December 2008 - 11:48 AM

i was looking at my process list and i noticed scanproccess.exe running which i read was for zone alarm which i dont even have. it shows up 3 times actually.

Edited by fscguy, 13 December 2008 - 11:49 AM.


#12 fscguy

fscguy
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 17 December 2008 - 09:20 PM

do you need more from me? also

#13 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:51 AM

Posted 20 December 2008 - 06:08 PM

Hello, fscguy
Those logs look good. Are you still having problems?

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#14 fscguy

fscguy
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 20 December 2008 - 06:24 PM

yes i am. i am still having to change focus to click sometimes.

#15 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:51 AM

Posted 20 December 2008 - 06:27 PM

Hmm.... I'm a little confused as to the problem. Does this occur inside any particular application? Are you saying you have to basically minimize and then restore some window before being able to click inside of it?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users