Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser HiJacked?


  • This topic is locked This topic is locked
13 replies to this topic

#1 Dipstix6996

Dipstix6996

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 22 January 2009 - 02:37 PM

I am doing this for a buddy who is not so computer literate.

I was told that when he puts in data (say a user name or a quantity/amount) and presses a submit/enter button in IE, the page refreshes and displays different data then what was originally entered. So far I just ran A-squared to remove a ton of viruses and CCleaner, and malwarebytes to clean it up as best i can. Can someone take a look at the hijack this log and see if i missed anything.
Thanks!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:56:22 PM, on 1/22/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Lexmark X1100 Series\LXBKbmgr.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\System32\mobsync.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Windows\system32\taskeng.exe
C:\Users\Chuck\Desktop\David Krueger.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [lxbkbmgr.exe] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: QuickSet.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/...NPUplden-us.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbk_device - - C:\Windows\system32\lxbkcoms.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8107 bytes





Malwarebytes' Anti-Malware 1.33
Database version: 1682
Windows 6.0.6001 Service Pack 1

1/23/2009 11:18:38 AM
mbam-log-2009-01-23 (11-18-38).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 151202
Time elapsed: 2 hour(s), 2 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 16
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Dipstix6996, 23 January 2009 - 11:55 AM.


BC AdBot (Login to Remove)

 


#2 Dipstix6996

Dipstix6996
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 27 January 2009 - 01:33 PM

I also found out that I can not install windows updates and I keep getting a windows error message " Host process for windows services stopped working and was closed". That error message pops up every so often.

The computer is also running Vista if that helps

Edited by Dipstix6996, 27 January 2009 - 07:53 PM.


#3 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:44 PM

Posted 30 January 2009 - 02:15 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Download and Run DDS
If you already have a copy of DDS, there is no need to download a new one.

Download DDS by sUBs from any of the links below:
DDS.com, DDS.scr, DDS.pif

Double click its icon to run it. If you are using Windows Vista, right click it and select "Run as Administrator".
When the scan is finished, two logs will open.
Post DDS.txt directly into your reply. Attach Attach.txt.

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Please tell me what changes have been made to the computer since your topic was started. Also give me an update on any symptoms.

With Regards,
The Panda

#4 Dipstix6996

Dipstix6996
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 31 January 2009 - 02:38 AM

Hello Panda. Thanks for the help. Here is the DDS log and the attached log. I am currently running the F-secure online scan but i got a IE error before the scan started. I took a screen shot of it ( at the bottom of this reply, but i was still able to do the scan of the computer) Also, McAfee would not allow me to disable it.





DDS (Ver_09-01-19.01) - NTFSx86
Run by Chuck at 2:09:02.50 on Sat 01/31/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2037.1123 [GMT -5:00]

AV: PC-cillin Internet Security - Virus Protection *On-access scanning enabled* (Outdated)
FW: PC-cillin Internet Security - Firewall *enabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\lxbkcoms.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\mobsync.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Lexmark X1100 Series\LXBKbmgr.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Chuck\Desktop\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uWindow Title = Internet Explorer provided by Dell
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070809
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070809
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [lxbkbmgr.exe] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\windows\installer\{7f0c4457-8e64-491b-8d7b-991504365d1e}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============

R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2007-8-9 234496]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2007-8-9 7424]

=============== Created Last 30 ================

2009-01-28 17:37 <DIR> --d----- c:\program files\FMS
2009-01-23 01:00 <DIR> --d----- c:\users\chuck\appdata\roaming\Malwarebytes
2009-01-23 01:00 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-23 01:00 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-23 01:00 <DIR> --d----- c:\programdata\Malwarebytes
2009-01-23 01:00 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-23 01:00 <DIR> --d----- c:\progra~2\Malwarebytes
2009-01-22 11:18 <DIR> --d----- c:\program files\CCleaner
2009-01-22 01:59 <DIR> --d----- c:\program files\a-squared Free

==================== Find3M ====================

2008-10-20 18:56 143,360 a------- c:\windows\inf\infstrng.dat
2008-10-20 18:56 86,016 a------- c:\windows\inf\infstor.dat
2008-10-20 18:56 51,200 a------- c:\windows\inf\infpub.dat
2008-10-02 23:19 174 a--sh--- c:\program files\desktop.ini
2008-10-02 23:05 665,600 a------- c:\windows\inf\drvindex.dat
2008-04-06 09:03 36,487,088 a------- c:\users\chuck\cjrX1100EN.exe
2006-11-02 07:39 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:39 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:39 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:39 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-08-08 16:29 76 ---shr-- c:\windows\CT4CET.bin
2008-10-25 07:19 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-10-25 07:19 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-10-25 07:19 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2007-08-09 00:09 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 2:10:07.77 ===============




Posted Image

Attached Files



#5 Dipstix6996

Dipstix6996
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 31 January 2009 - 04:11 AM

Even after enabling the activeX the scan did not start. I waited over an hour and it did not scan a single object

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:44 PM

Posted 31 January 2009 - 11:04 AM

Hello.

Ah. Had you opened Internet Explorer using Run As Administrator? Sorry, I had forgot to include that.

Update Java to Version 6 Update 11
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please download the installer for Windows.32, here. Follow the prompts to install and delete the install after use.
---
From the DDS log, there doesn't appear to be an infection. Let's dig deeper.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

Also include a fresh DDS.txt log.

Please give me an update on the symptoms.

With Regards,
The Panda

#7 Dipstix6996

Dipstix6996
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 01 February 2009 - 03:38 AM

I was able to do the f-secure scan but after finishing I ran the GMER scan and got the blue screen of death and lost the log for the f-secure scan, but i did eventually get a log for the GMER. I do know the f-secure scan removed 14 objects of spyware. I tried to uninstall Java and all I got was this message:

Posted Image

So i did not run the java update you asked me too.

Here is the GMER log:


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-01 03:14:32
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.14 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8D2179BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8D217958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8D21796C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8D2179FC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8D217A3F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8D217930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8D217944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8D2179D2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x8D217A67]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8D217A53]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8D2179AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8D217996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8D217A2B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8D217A12]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8D2179E8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8D217982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwYieldExecution 81E7018C 5 Bytes JMP 8D2179EC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 8200A17C 5 Bytes JMP 8D217A43 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateUserProcess 82011DCA 5 Bytes JMP 8D217986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 8202BF80 5 Bytes JMP 8D217A2F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 8204B1DC 5 Bytes JMP 8D217948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 8205AB18 5 Bytes JMP 8D217934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 8206D74E 7 Bytes JMP 8D217A00 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 8206DDA5 5 Bytes JMP 8D217A16 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8206FFB6 5 Bytes JMP 8D2179C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 8207D674 5 Bytes JMP 8D21799A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 8207F8CE 7 Bytes JMP 8D2179D6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8209E452 5 Bytes JMP 8D217A57 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8209F49E 5 Bytes JMP 8D217A6B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 820DD1C1 5 Bytes JMP 8D21795C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 820DD20C 7 Bytes JMP 8D217970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 820DDCCB 5 Bytes JMP 8D2179AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.14 ----

.text C:\Windows\system32\services.exe[664] kernel32.dll!GetStartupInfoW 75C81929 5 Bytes JMP 001B009D
.text C:\Windows\system32\services.exe[664] kernel32.dll!GetStartupInfoA 75C819C9 5 Bytes JMP 001B0F57
.text C:\Windows\system32\services.exe[664] kernel32.dll!CreateProcessW 75C81C01 5 Bytes JMP 001B00C2
.text C:\Windows\system32\services.exe[664] kernel32.dll!CreateProcessA 75C81C36 5 Bytes JMP 001B0F21
.text C:\Windows\system32\services.exe[664] kernel32.dll!VirtualProtect 75C81DD1 5 Bytes JMP 001B0F7C
.text C:\Windows\system32\services.exe[664] kernel32.dll!CreateNamedPipeW 75C85C44 5 Bytes JMP 001B0FA8
.text C:\Windows\system32\services.exe[664] kernel32.dll!LoadLibraryExW 75CA30C3 5 Bytes JMP 001B004A
.text C:\Windows\system32\services.exe[664] kernel32.dll!LoadLibraryW 75CA361F 5 Bytes JMP 001B001E
.text C:\Windows\system32\services.exe[664] kernel32.dll!VirtualProtectEx 75CA8D7E 5 Bytes JMP 001B0067
.text C:\Windows\system32\services.exe[664] kernel32.dll!LoadLibraryExA 75CA9469 5 Bytes JMP 001B0039
.text C:\Windows\system32\services.exe[664] kernel32.dll!LoadLibraryA 75CA9491 5 Bytes JMP 001B0F97
.text C:\Windows\system32\services.exe[664] kernel32.dll!CreatePipe 75CB0284 5 Bytes JMP 001B0078
.text C:\Windows\system32\services.exe[664] kernel32.dll!GetProcAddress 75CCB8B6 5 Bytes JMP 001B0F10
.text C:\Windows\system32\services.exe[664] kernel32.dll!CreateFileW 75CCCC4E 5 Bytes JMP 001B0FD4
.text C:\Windows\system32\services.exe[664] kernel32.dll!CreateFileA 75CCCF71 5 Bytes JMP 001B0FEF
.text C:\Windows\system32\services.exe[664] kernel32.dll!CreateNamedPipeA 75D141F6 5 Bytes JMP 001B0FC3
.text C:\Windows\system32\services.exe[664] kernel32.dll!WinExec 75D153E7 5 Bytes JMP 001B0F3C
.text C:\Windows\system32\services.exe[664] ADVAPI32.dll!RegCreateKeyExA 75DDB5E7 5 Bytes JMP 00750F9E
.text C:\Windows\system32\services.exe[664] ADVAPI32.dll!RegCreateKeyA 75DDB8AE 5 Bytes JMP 0075002F
.text C:\Windows\system32\services.exe[664] ADVAPI32.dll!RegOpenKeyA 75DE0BF5 5 Bytes JMP 00750FEF
.text C:\Windows\system32\services.exe[664] ADVAPI32.dll!RegCreateKeyW 75DEB83D 5 Bytes JMP 0075004A
.text C:\Windows\system32\services.exe[664] ADVAPI32.dll!RegCreateKeyExW 75DEBCE1 5 Bytes JMP 0075005B
.text C:\Windows\system32\services.exe[664] ADVAPI32.dll!RegOpenKeyExA 75DED4E8 5 Bytes JMP 00750014
.text C:\Windows\system32\services.exe[664] ADVAPI32.dll!RegOpenKeyW 75DF3CB0 5 Bytes JMP 00750FDE
.text C:\Windows\system32\services.exe[664] ADVAPI32.dll!RegOpenKeyExW 75DFF09D 5 Bytes JMP 00750FC3
.text C:\Windows\system32\services.exe[664] WS2_32.dll!socket 75E936D1 5 Bytes JMP 00760000
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!GetStartupInfoW 75C81929 5 Bytes JMP 0013009A
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!GetStartupInfoA 75C819C9 5 Bytes JMP 00130F5E
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!CreateProcessW 75C81C01 5 Bytes JMP 001300C6
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!CreateProcessA 75C81C36 5 Bytes JMP 001300B5
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!VirtualProtect 75C81DD1 5 Bytes JMP 0013006E
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!CreateNamedPipeW 75C85C44 5 Bytes JMP 00130FC0
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!LoadLibraryExW 75CA30C3 5 Bytes JMP 0013005D
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!LoadLibraryW 75CA361F 5 Bytes JMP 00130F94
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!VirtualProtectEx 75CA8D7E 5 Bytes JMP 00130089
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!LoadLibraryExA 75CA9469 5 Bytes JMP 00130036
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!LoadLibraryA 75CA9491 5 Bytes JMP 00130FAF
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!CreatePipe 75CB0284 5 Bytes JMP 00130F6F
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!GetProcAddress 75CCB8B6 5 Bytes JMP 001300E1
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!CreateFileW 75CCCC4E 5 Bytes JMP 00130000
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!CreateFileA 75CCCF71 5 Bytes JMP 00130FEF
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!CreateNamedPipeA 75D141F6 5 Bytes JMP 0013001B
.text C:\Windows\system32\lsass.exe[700] kernel32.dll!WinExec 75D153E7 5 Bytes JMP 00130F43
.text C:\Windows\system32\lsass.exe[700] ADVAPI32.dll!RegCreateKeyExA 75DDB5E7 5 Bytes JMP 00140FA8
.text C:\Windows\system32\lsass.exe[700] ADVAPI32.dll!RegCreateKeyA 75DDB8AE 5 Bytes JMP 00140040
.text C:\Windows\system32\lsass.exe[700] ADVAPI32.dll!RegOpenKeyA 75DE0BF5 5 Bytes JMP 00140FEF
.text C:\Windows\system32\lsass.exe[700] ADVAPI32.dll!RegCreateKeyW 75DEB83D 5 Bytes JMP 00140FB9
.text C:\Windows\system32\lsass.exe[700] ADVAPI32.dll!RegCreateKeyExW 75DEBCE1 5 Bytes JMP 00140F83
.text C:\Windows\system32\lsass.exe[700] ADVAPI32.dll!RegOpenKeyExA 75DED4E8 5 Bytes JMP 0014001B
.text C:\Windows\system32\lsass.exe[700] ADVAPI32.dll!RegOpenKeyW 75DF3CB0 5 Bytes JMP 0014000A
.text C:\Windows\system32\lsass.exe[700] ADVAPI32.dll!RegOpenKeyExW 75DFF09D 5 Bytes JMP 00140FCA
.text C:\Windows\system32\lsass.exe[700] WS2_32.dll!socket 75E936D1 5 Bytes JMP 00150FEF
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!GetStartupInfoW 75C81929 5 Bytes JMP 001A00B1
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!GetStartupInfoA 75C819C9 5 Bytes JMP 001A0096
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateProcessW 75C81C01 5 Bytes JMP 001A0F2B
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateProcessA 75C81C36 5 Bytes JMP 001A0F3C
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!VirtualProtect 75C81DD1 5 Bytes JMP 001A004F
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateNamedPipeW 75C85C44 5 Bytes JMP 001A0FB2
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryExW 75CA30C3 5 Bytes JMP 001A0F75
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryW 75CA361F 5 Bytes JMP 001A0F86
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!VirtualProtectEx 75CA8D7E 5 Bytes JMP 001A0060
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryExA 75CA9469 5 Bytes JMP 001A0032
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryA 75CA9491 5 Bytes JMP 001A0FA1
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreatePipe 75CB0284 5 Bytes JMP 001A0085
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!GetProcAddress 75CCB8B6 5 Bytes JMP 001A00DD
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateFileW 75CCCC4E 5 Bytes JMP 001A0FDE
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateFileA 75CCCF71 5 Bytes JMP 001A0FEF
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateNamedPipeA 75D141F6 5 Bytes JMP 001A0FCD
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!WinExec 75D153E7 5 Bytes JMP 001A00C2
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyExA 75DDB5E7 5 Bytes JMP 001B006C
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyA 75DDB8AE 5 Bytes JMP 001B0FCA
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyA 75DE0BF5 5 Bytes JMP 001B0000
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyW 75DEB83D 5 Bytes JMP 001B0051
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyExW 75DEBCE1 5 Bytes JMP 001B0087
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyExA 75DED4E8 5 Bytes JMP 001B0FE5
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyW 75DF3CB0 5 Bytes JMP 001B0011
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyExW 75DFF09D 5 Bytes JMP 001B0036
.text C:\Windows\system32\svchost.exe[880] WS2_32.dll!socket 75E936D1 5 Bytes JMP 00390000
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!GetStartupInfoW 75C81929 5 Bytes JMP 001B0F4D
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!GetStartupInfoA 75C819C9 5 Bytes JMP 001B0F68
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!CreateProcessW 75C81C01 5 Bytes JMP 001B0F17
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!CreateProcessA 75C81C36 5 Bytes JMP 001B0F28
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!VirtualProtect 75C81DD1 5 Bytes JMP 001B0071
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!CreateNamedPipeW 75C85C44 5 Bytes JMP 001B0FCD
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!LoadLibraryExW 75CA30C3 5 Bytes JMP 001B004A
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!LoadLibraryW 75CA361F 5 Bytes JMP 001B0039
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!VirtualProtectEx 75CA8D7E 1 Byte [ E9 ]
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!VirtualProtectEx + 2 75CA8D80 3 Bytes [ 72, 50, 8A ]
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!LoadLibraryExA 75CA9469 5 Bytes JMP 001B0F97
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!LoadLibraryA 75CA9491 5 Bytes JMP 001B0FB2
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!CreatePipe 75CB0284 5 Bytes JMP 001B0093
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!GetProcAddress 75CCB8B6 5 Bytes JMP 001B0EFC
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!CreateFileW 75CCCC4E 5 Bytes JMP 001B0FDE
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!CreateFileA 75CCCF71 5 Bytes JMP 001B0FEF
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!CreateNamedPipeA 75D141F6 5 Bytes JMP 001B0014
.text C:\Windows\system32\svchost.exe[944] kernel32.dll!WinExec 75D153E7 5 Bytes JMP 001B00AE
.text C:\Windows\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyExA 75DDB5E7 5 Bytes JMP 00200F94
.text C:\Windows\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyA 75DDB8AE 5 Bytes JMP 00200FCA
.text C:\Windows\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyA 75DE0BF5 5 Bytes JMP 00200000
.text C:\Windows\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyW 75DEB83D 5 Bytes JMP 00200FAF
.text C:\Windows\system32\svchost.exe[944] ADVAPI32.dll!RegCreateKeyExW 75DEBCE1 5 Bytes JMP 00200051
.text C:\Windows\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyExA 75DED4E8 5 Bytes JMP 0020002C
.text C:\Windows\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyW 75DF3CB0 5 Bytes JMP 0020001B
.text C:\Windows\system32\svchost.exe[944] ADVAPI32.dll!RegOpenKeyExW 75DFF09D 5 Bytes JMP 00200FDB
.text C:\Windows\system32\svchost.exe[944] WS2_32.dll!socket 75E936D1 5 Bytes JMP 00260FEF
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!GetStartupInfoW 75C81929 5 Bytes JMP 002C009E
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!GetStartupInfoA 75C819C9 5 Bytes JMP 002C0083
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!CreateProcessW 75C81C01 5 Bytes JMP 002C00DE
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!CreateProcessA 75C81C36 5 Bytes JMP 002C00C3
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!VirtualProtect 75C81DD1 5 Bytes JMP 002C0F7A
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!CreateNamedPipeW 75C85C44 5 Bytes JMP 002C0FD4
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!LoadLibraryExW 75CA30C3 5 Bytes JMP 002C0F97
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!LoadLibraryW 75CA361F 5 Bytes JMP 002C0FB9
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!VirtualProtectEx 75CA8D7E 5 Bytes JMP 002C0F69
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!LoadLibraryExA 75CA9469 5 Bytes JMP 002C0FA8
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!LoadLibraryA 75CA9491 5 Bytes JMP 002C004A
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!CreatePipe 75CB0284 5 Bytes JMP 002C0F58
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!GetProcAddress 75CCB8B6 5 Bytes JMP 002C0F22
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!CreateFileW 75CCCC4E 5 Bytes JMP 002C000A
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!CreateFileA 75CCCF71 5 Bytes JMP 002C0FEF
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!CreateNamedPipeA 75D141F6 5 Bytes JMP 002C0025
.text C:\Windows\System32\svchost.exe[1116] kernel32.dll!WinExec 75D153E7 5 Bytes JMP 002C0F3D
.text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyExA 75DDB5E7 5 Bytes JMP 002D006C
.text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyA 75DDB8AE 5 Bytes JMP 002D0040
.text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyA 75DE0BF5 5 Bytes JMP 002D0FEF
.text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyW 75DEB83D 5 Bytes JMP 002D0051
.text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyExW 75DEBCE1 5 Bytes JMP 002D007D
.text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyExA 75DED4E8 5 Bytes JMP 002D0FD4
.text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyW 75DF3CB0 5 Bytes JMP 002D000A
.text C:\Windows\System32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyExW 75DFF09D 5 Bytes JMP 002D0025
.text C:\Windows\System32\svchost.exe[1116] WS2_32.dll!socket 75E936D1 5 Bytes JMP 002E0000
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!GetStartupInfoW 75C81929 5 Bytes JMP 00D20078
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!GetStartupInfoA 75C819C9 5 Bytes JMP 00D20067
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreateProcessW 75C81C01 5 Bytes JMP 00D200BF
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreateProcessA 75C81C36 5 Bytes JMP 00D200AE
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!VirtualProtect 75C81DD1 5 Bytes JMP 00D20056
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreateNamedPipeW 75C85C44 5 Bytes JMP 00D20FC3
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!LoadLibraryExW 75CA30C3 5 Bytes JMP 00D20F7C
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!LoadLibraryW 75CA361F 5 Bytes JMP 00D20FA8
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!VirtualProtectEx 75CA8D7E 5 Bytes JMP 00D20F61
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!LoadLibraryExA 75CA9469 5 Bytes JMP 00D20F97
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!LoadLibraryA 75CA9491 5 Bytes JMP 00D2002F
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreatePipe 75CB0284 5 Bytes JMP 00D20F3C
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!GetProcAddress 75CCB8B6 5 Bytes JMP 00D200D0
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreateFileW 75CCCC4E 5 Bytes JMP 00D20FE5
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreateFileA 75CCCF71 5 Bytes JMP 00D2000A
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreateNamedPipeA 75D141F6 5 Bytes JMP 00D20FD4
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!WinExec 75D153E7 5 Bytes JMP 00D20093
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExA 75DDB5E7 5 Bytes JMP 00D30065
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyA 75DDB8AE 5 Bytes JMP 00D30054
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyA 75DE0BF5 5 Bytes JMP 00D30FEF
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyW 75DEB83D 5 Bytes JMP 00D30FC3
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExW 75DEBCE1 5 Bytes JMP 00D30FA8
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExA 75DED4E8 5 Bytes JMP 00D3001E
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyW 75DF3CB0 5 Bytes JMP 00D30FDE
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExW 75DFF09D 5 Bytes JMP 00D3002F
.text C:\Windows\System32\svchost.exe[1148] WS2_32.dll!socket 75E936D1 5 Bytes JMP 00D40000
.text C:\Windows\system32\svchost.exe[1316] kernel32.dll!GetStartupInfoW 75C81929 5 Bytes JMP 00080F46
.text C:\Windows\system32\svchost.exe[1316] kernel32.dll!GetStartupInfoA 75C819C9 5 Bytes JMP 0008008C
.text C:\Windows\system32\svchost.exe[1316] kernel32.dll!CreateProcessW 75C81C01 5 Bytes JMP 00080F2B
.text C:\Windows\system32\svchost.exe[1316] kernel32.dll!CreateProcessA 75C81C36 5 Bytes JMP 000800C2
.text C:\Windows\system32\svchost.exe[1316] kernel32.dll!VirtualProtect 75C81DD1 5 Bytes JMP 00080F7C
.text C:\Windows\system32\svchost.exe[1316] kernel32.dll!CreateNamedPipeW 75C85C44 5 Bytes JMP 00080FD4
.text C:\Windows\system32\svchost.exe[1316] kernel32.dll!LoadLibraryExW 75CA30C3 5 Bytes JMP 00080F8D
.text C:\Windows\system32\svchost.exe[1316] kernel32.dll!LoadLibraryW 75CA361F 5 Bytes JMP 00080FAF
.text C:\Windows\system32\svchost.exe[1316] kernel32.dll!VirtualProtectEx 75CA8D7E 5 Bytes JMP 00080071
.text C:\Windows\system32\svchost.exe[1316] kernel32.dll!LoadLibraryExA 75CA9469 5 Bytes JMP 00080F9E
.text C:\Windows\system32\svchost.exe[1316] kernel32.dll!LoadLibraryA 75CA9491 5 Bytes JMP 00080040
.text C:\Windows\system32\svchost.exe[1316] kernel32.dll!CreatePipe 75CB0284 5 Bytes JMP 00080F61
.text C:\Windows\system32\svchost.exe[1316] kernel32.dll!GetProcAddress 75CCB8B6 5 Bytes JMP 00080F10
.text C:\Windows\system32\svchost.exe[1316] kernel32.dll!CreateFileW 75CCCC4E 5 Bytes JMP 00080025
.text C:\Windows\system32\svchost.exe[1316] kernel32.dll!CreateFileA 75CCCF71 5 Bytes JMP 00080000
.text C:\Windows\system32\svchost.exe[1316] kernel32.dll!CreateNamedPipeA 75D141F6 5 Bytes JMP 00080FEF
.text C:\Windows\system32\svchost.exe[1316] kernel32.dll!WinExec 75D153E7 5 Bytes JMP 000800A7
.text C:\Windows\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyExA 75DDB5E7 5 Bytes JMP 008B0051
.text C:\Windows\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyA 75DDB8AE 5 Bytes JMP 008B0FC0
.text C:\Windows\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyA 75DE0BF5 5 Bytes JMP 008B0000
.text C:\Windows\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyW 75DEB83D 5 Bytes JMP 008B0FAF
.text C:\Windows\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyExW 75DEBCE1 5 Bytes JMP 008B0F94
.text C:\Windows\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyExA 75DED4E8 5 Bytes JMP 008B0011
.text C:\Windows\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyW 75DF3CB0 5 Bytes JMP 008B0FDB
.text C:\Windows\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyExW 75DFF09D 5 Bytes JMP 008B002C
.text C:\Windows\system32\svchost.exe[1316] WS2_32.dll!socket 75E936D1 5 Bytes JMP 00980FEF
.text C:\Windows\system32\svchost.exe[1316] WinInet.dll!InternetOpenA 760D03DD 5 Bytes JMP 00990FE5
.text C:\Windows\system32\svchost.exe[1316] WinInet.dll!InternetOpenUrlA 760D20A3 3 Bytes JMP 00990011
.text C:\Windows\system32\svchost.exe[1316] WinInet.dll!InternetOpenUrlA + 4 760D20A7 1 Byte [ 8A ]
.text C:\Windows\system32\svchost.exe[1316] WinInet.dll!InternetOpenW 760D2A58 3 Bytes JMP 00990000
.text C:\Windows\system32\svchost.exe[1316] WinInet.dll!InternetOpenW + 4 760D2A5C 1 Byte [ 8A ]
.text C:\Windows\system32\svchost.exe[1316] WinInet.dll!InternetOpenUrlW 7611AF79 5 Bytes JMP 00990FC0
.text C:\Windows\Explorer.EXE[1356] kernel32.dll!GetStartupInfoW 75C81929 5 Bytes JMP 002C0098
.text C:\Windows\Explorer.EXE[1356] kernel32.dll!GetStartupInfoA 75C819C9 5 Bytes JMP 002C0F5C
.text C:\Windows\Explorer.EXE[1356] kernel32.dll!CreateProcessW 75C81C01 5 Bytes JMP 002C00C4
.text C:\Windows\Explorer.EXE[1356] kernel32.dll!CreateProcessA 75C81C36 5 Bytes JMP 002C00A9
.text C:\Windows\Explorer.EXE[1356] kernel32.dll!VirtualProtect 75C81DD1 5 Bytes JMP 002C0087
.text C:\Windows\Explorer.EXE[1356] kernel32.dll!CreateNamedPipeW 75C85C44 5 Bytes JMP 002C002C
.text C:\Windows\Explorer.EXE[1356] kernel32.dll!LoadLibraryExW 75CA30C3 5 Bytes JMP 002C0FA3
.text C:\Windows\Explorer.EXE[1356] kernel32.dll!LoadLibraryW 75CA361F 5 Bytes JMP 002C0047
.text C:\Windows\Explorer.EXE[1356] kernel32.dll!VirtualProtectEx 75CA8D7E 5 Bytes JMP 002C0F92
.text C:\Windows\Explorer.EXE[1356] kernel32.dll!LoadLibraryExA 75CA9469 5 Bytes JMP 002C006C
.text C:\Windows\Explorer.EXE[1356] kernel32.dll!LoadLibraryA 75CA9491 5 Bytes JMP 002C0FC0
.text C:\Windows\Explorer.EXE[1356] kernel32.dll!CreatePipe 75CB0284 5 Bytes JMP 002C0F6D
.text C:\Windows\Explorer.EXE[1356] kernel32.dll!GetProcAddress 75CCB8B6 5 Bytes JMP 002C0F12
.text C:\Windows\Explorer.EXE[1356] kernel32.dll!CreateFileW 75CCCC4E 5 Bytes JMP 002C0FEF
.text C:\Windows\Explorer.EXE[1356] kernel32.dll!CreateFileA 75CCCF71 5 Bytes JMP 002C000A
.text C:\Windows\Explorer.EXE[1356] kernel32.dll!CreateNamedPipeA 75D141F6 5 Bytes JMP 002C001B
.text C:\Windows\Explorer.EXE[1356] kernel32.dll!WinExec 75D153E7 5 Bytes JMP 002C0F2D
.text C:\Windows\Explorer.EXE[1356] ADVAPI32.dll!RegCreateKeyExA 75DDB5E7 5 Bytes JMP 00890FB2
.text C:\Windows\Explorer.EXE[1356] ADVAPI32.dll!RegCreateKeyA 75DDB8AE 5 Bytes JMP 0089002F
.text C:\Windows\Explorer.EXE[1356] ADVAPI32.dll!RegOpenKeyA 75DE0BF5 5 Bytes JMP 00890000
.text C:\Windows\Explorer.EXE[1356] ADVAPI32.dll!RegCreateKeyW 75DEB83D 5 Bytes JMP 0089004A
.text C:\Windows\Explorer.EXE[1356] ADVAPI32.dll!RegCreateKeyExW 75DEBCE1 5 Bytes JMP 00890FA1
.text C:\Windows\Explorer.EXE[1356] ADVAPI32.dll!RegOpenKeyExA 75DED4E8 5 Bytes JMP 00890FDE
.text C:\Windows\Explorer.EXE[1356] ADVAPI32.dll!RegOpenKeyW 75DF3CB0 5 Bytes JMP 00890FEF
.text C:\Windows\Explorer.EXE[1356] ADVAPI32.dll!RegOpenKeyExW 75DFF09D 5 Bytes JMP 00890FC3
.text C:\Windows\Explorer.EXE[1356] WS2_32.dll!socket 75E936D1 5 Bytes JMP 008A0FEF
.text C:\Windows\Explorer.EXE[1356] WININET.dll!InternetOpenA 760D03DD 5 Bytes JMP 036A0FEF
.text C:\Windows\Explorer.EXE[1356] WININET.dll!InternetOpenUrlA 760D20A3 5 Bytes JMP 036A0014
.text C:\Windows\Explorer.EXE[1356] WININET.dll!InternetOpenW 760D2A58 5 Bytes JMP 036A0FDE
.text C:\Windows\Explorer.EXE[1356] WININET.dll!InternetOpenUrlW 7611AF79 5 Bytes JMP 036A0FC3
.text C:\Windows\system32\svchost.exe[1500] kernel32.dll!GetStartupInfoW 75C81929 5 Bytes JMP 009700F3
.text C:\Windows\system32\svchost.exe[1500] kernel32.dll!GetStartupInfoA 75C819C9 5 Bytes JMP 00970FAD
.text C:\Windows\system32\svchost.exe[1500] kernel32.dll!CreateProcessW 75C81C01 5 Bytes JMP 00970F70
.text C:\Windows\system32\svchost.exe[1500] kernel32.dll!CreateProcessA 75C81C36 5 Bytes JMP 00970F81
.text C:\Windows\system32\svchost.exe[1500] kernel32.dll!VirtualProtect 75C81DD1 5 Bytes JMP 009700A2
.text C:\Windows\system32\svchost.exe[1500] kernel32.dll!CreateNamedPipeW 75C85C44 5 Bytes JMP 0097002F
.text C:\Windows\system32\svchost.exe[1500] kernel32.dll!LoadLibraryExW 75CA30C3 5 Bytes JMP 00970091
.text C:\Windows\system32\svchost.exe[1500] kernel32.dll!LoadLibraryW 75CA361F 5 Bytes JMP 0097005B
.text C:\Windows\system32\svchost.exe[1500] kernel32.dll!VirtualProtectEx 75CA8D7E 5 Bytes JMP 009700C7
.text C:\Windows\system32\svchost.exe[1500] kernel32.dll!LoadLibraryExA 75CA9469 5 Bytes JMP 00970076
.text C:\Windows\system32\svchost.exe[1500] kernel32.dll!LoadLibraryA 75CA9491 5 Bytes JMP 0097004A
.text C:\Windows\system32\svchost.exe[1500] kernel32.dll!CreatePipe 75CB0284 5 Bytes JMP 009700D8
.text C:\Windows\system32\svchost.exe[1500] kernel32.dll!GetProcAddress 75CCB8B6 5 Bytes JMP 00970118
.text C:\Windows\system32\svchost.exe[1500] kernel32.dll!CreateFileW 75CCCC4E 5 Bytes JMP 00970FDE
.text C:\Windows\system32\svchost.exe[1500] kernel32.dll!CreateFileA 75CCCF71 5 Bytes JMP 00970FEF
.text C:\Windows\system32\svchost.exe[1500] kernel32.dll!CreateNamedPipeA 75D141F6 5 Bytes JMP 0097001E
.text C:\Windows\system32\svchost.exe[1500] kernel32.dll!WinExec 75D153E7 5 Bytes JMP 00970F92
.text C:\Windows\system32\svchost.exe[1500] ADVAPI32.dll!RegCreateKeyExA 75DDB5E7 5 Bytes JMP 00DB0051
.text C:\Windows\system32\svchost.exe[1500] ADVAPI32.dll!RegCreateKeyA 75DDB8AE 5 Bytes JMP 00DB0FCA
.text C:\Windows\system32\svchost.exe[1500] ADVAPI32.dll!RegOpenKeyA 75DE0BF5 5 Bytes JMP 00DB0000
.text C:\Windows\system32\svchost.exe[1500] ADVAPI32.dll!RegCreateKeyW 75DEB83D 5 Bytes JMP 00DB0FB9
.text C:\Windows\system32\svchost.exe[1500] ADVAPI32.dll!RegCreateKeyExW 75DEBCE1 5 Bytes JMP 00DB0F9E
.text C:\Windows\system32\svchost.exe[1500] ADVAPI32.dll!RegOpenKeyExA 75DED4E8 5 Bytes JMP 00DB001B
.text C:\Windows\system32\svchost.exe[1500] ADVAPI32.dll!RegOpenKeyW 75DF3CB0 5 Bytes JMP 00DB0FE5
.text C:\Windows\system32\svchost.exe[1500] ADVAPI32.dll!RegOpenKeyExW 75DFF09D 5 Bytes JMP 00DB0036
.text C:\Windows\system32\svchost.exe[1500] WS2_32.dll!socket 75E936D1 5 Bytes JMP 01A60FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1756] kernel32.dll!LoadLibraryW 75CA361F 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1756] kernel32.dll!LoadLibraryA 75CA9491 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\system32\svchost.exe[1928] kernel32.dll!GetStartupInfoW 75C81929 5 Bytes JMP 001E0EF0
.text C:\Windows\system32\svchost.exe[1928] kernel32.dll!GetStartupInfoA 75C819C9 5 Bytes JMP 001E0F0B
.text C:\Windows\system32\svchost.exe[1928] kernel32.dll!CreateProcessW 75C81C01 5 Bytes JMP 001E0ED5
.text C:\Windows\system32\svchost.exe[1928] kernel32.dll!CreateProcessA 75C81C36 5 Bytes JMP 001E006C
.text C:\Windows\system32\svchost.exe[1928] kernel32.dll!VirtualProtect 75C81DD1 5 Bytes JMP 001E0F48
.text C:\Windows\system32\svchost.exe[1928] kernel32.dll!CreateNamedPipeW 75C85C44 5 Bytes JMP 001E0FB9
.text C:\Windows\system32\svchost.exe[1928] kernel32.dll!LoadLibraryExW 75CA30C3 5 Bytes JMP 001E0F6F
.text C:\Windows\system32\svchost.exe[1928] kernel32.dll!LoadLibraryW 75CA361F 5 Bytes JMP 001E001B
.text C:\Windows\system32\svchost.exe[1928] kernel32.dll!VirtualProtectEx 75CA8D7E 5 Bytes JMP 001E0F37
.text C:\Windows\system32\svchost.exe[1928] kernel32.dll!LoadLibraryExA 75CA9469 5 Bytes JMP 001E002C
.text C:\Windows\system32\svchost.exe[1928] kernel32.dll!LoadLibraryA 75CA9491 5 Bytes JMP 001E0F94
.text C:\Windows\system32\svchost.exe[1928] kernel32.dll!CreatePipe 75CB0284 5 Bytes JMP 001E0F26
.text C:\Windows\system32\svchost.exe[1928] kernel32.dll!GetProcAddress 75CCB8B6 5 Bytes JMP 001E0087
.text C:\Windows\system32\svchost.exe[1928] kernel32.dll!CreateFileW 75CCCC4E 5 Bytes JMP 001E0FD4
.text C:\Windows\system32\svchost.exe[1928] kernel32.dll!CreateFileA 75CCCF71 5 Bytes JMP 001E0FEF
.text C:\Windows\system32\svchost.exe[1928] kernel32.dll!CreateNamedPipeA 75D141F6 5 Bytes JMP 001E000A
.text C:\Windows\system32\svchost.exe[1928] kernel32.dll!WinExec 75D153E7 5 Bytes JMP 001E005B
.text C:\Windows\system32\svchost.exe[1928] ADVAPI32.dll!RegCreateKeyExA 75DDB5E7 5 Bytes JMP 00330F8D
.text C:\Windows\system32\svchost.exe[1928] ADVAPI32.dll!RegCreateKeyA 75DDB8AE 5 Bytes JMP 00330FB9
.text C:\Windows\system32\svchost.exe[1928] ADVAPI32.dll!RegOpenKeyA 75DE0BF5 5 Bytes JMP 00330FEF
.text C:\Windows\system32\svchost.exe[1928] ADVAPI32.dll!RegCreateKeyW 75DEB83D 5 Bytes JMP 00330FA8
.text C:\Windows\system32\svchost.exe[1928] ADVAPI32.dll!RegCreateKeyExW 75DEBCE1 5 Bytes JMP 00330F7C
.text C:\Windows\system32\svchost.exe[1928] ADVAPI32.dll!RegOpenKeyExA 75DED4E8 5 Bytes JMP 00330025
.text C:\Windows\system32\svchost.exe[1928] ADVAPI32.dll!RegOpenKeyW 75DF3CB0 5 Bytes JMP 0033000A
.text C:\Windows\system32\svchost.exe[1928] ADVAPI32.dll!RegOpenKeyExW 75DFF09D 5 Bytes JMP 00330FD4
.text C:\Windows\system32\svchost.exe[1928] WS2_32.dll!socket 75E936D1 5 Bytes JMP 00340FEF
.text C:\Windows\system32\svchost.exe[2312] kernel32.dll!GetStartupInfoW 75C81929 5 Bytes JMP 001F009A
.text C:\Windows\system32\svchost.exe[2312] kernel32.dll!GetStartupInfoA 75C819C9 5 Bytes JMP 001F0089
.text C:\Windows\system32\svchost.exe[2312] kernel32.dll!CreateProcessW 75C81C01 5 Bytes JMP 001F0F14
.text C:\Windows\system32\svchost.exe[2312] kernel32.dll!CreateProcessA 75C81C36 5 Bytes JMP 001F0F2F
.text C:\Windows\system32\svchost.exe[2312] kernel32.dll!VirtualProtect 75C81DD1 5 Bytes JMP 001F0F7C
.text C:\Windows\system32\svchost.exe[2312] kernel32.dll!CreateNamedPipeW 75C85C44 5 Bytes JMP 001F0FCA
.text C:\Windows\system32\svchost.exe[2312] kernel32.dll!LoadLibraryExW 75CA30C3 5 Bytes JMP 001F0F8D
.text C:\Windows\system32\svchost.exe[2312] kernel32.dll!LoadLibraryW 75CA361F 5 Bytes JMP 001F0FB9
.text C:\Windows\system32\svchost.exe[2312] kernel32.dll!VirtualProtectEx 75CA8D7E 5 Bytes JMP 001F0067
.text C:\Windows\system32\svchost.exe[2312] kernel32.dll!LoadLibraryExA 75CA9469 5 Bytes JMP 001F0F9E
.text C:\Windows\system32\svchost.exe[2312] kernel32.dll!LoadLibraryA 75CA9491 5 Bytes JMP 001F0040
.text C:\Windows\system32\svchost.exe[2312] kernel32.dll!CreatePipe 75CB0284 5 Bytes JMP 001F0078
.text C:\Windows\system32\svchost.exe[2312] kernel32.dll!GetProcAddress 75CCB8B6 5 Bytes JMP 001F0F03
.text C:\Windows\system32\svchost.exe[2312] kernel32.dll!CreateFileW 75CCCC4E 5 Bytes JMP 001F0FEF
.text C:\Windows\system32\svchost.exe[2312] kernel32.dll!CreateFileA 75CCCF71 5 Bytes JMP 001F0000
.text C:\Windows\system32\svchost.exe[2312] kernel32.dll!CreateNamedPipeA 75D141F6 5 Bytes JMP 001F0025

.text C:\Windows\system32\svchost.exe[2312] kernel32.dll!WinExec 75D153E7 5 Bytes JMP 001F00AB
.text C:\Windows\system32\svchost.exe[2312] ADVAPI32.dll!RegCreateKeyExA 75DDB5E7 5 Bytes JMP 0026004A
.text C:\Windows\system32\svchost.exe[2312] ADVAPI32.dll!RegCreateKeyA 75DDB8AE 5 Bytes JMP 00260FC3
.text C:\Windows\system32\svchost.exe[2312] ADVAPI32.dll!RegOpenKeyA 75DE0BF5 5 Bytes JMP 0026000A
.text C:\Windows\system32\svchost.exe[2312] ADVAPI32.dll!RegCreateKeyW 75DEB83D 5 Bytes JMP 00260FA8
.text C:\Windows\system32\svchost.exe[2312] ADVAPI32.dll!RegCreateKeyExW 75DEBCE1 5 Bytes JMP 00260F8D
.text C:\Windows\system32\svchost.exe[2312] ADVAPI32.dll!RegOpenKeyExA 75DED4E8 5 Bytes JMP 00260FDE
.text C:\Windows\system32\svchost.exe[2312] ADVAPI32.dll!RegOpenKeyW 75DF3CB0 5 Bytes JMP 00260FEF
.text C:\Windows\system32\svchost.exe[2312] ADVAPI32.dll!RegOpenKeyExW 75DFF09D 5 Bytes JMP 0026002F
.text C:\Windows\system32\svchost.exe[2312] WS2_32.dll!socket 75E936D1 5 Bytes JMP 004F0000
.text C:\Windows\system32\svchost.exe[2548] kernel32.dll!GetStartupInfoW 75C81929 5 Bytes JMP 00200F6D
.text C:\Windows\system32\svchost.exe[2548] kernel32.dll!GetStartupInfoA 75C819C9 5 Bytes JMP 002000B3
.text C:\Windows\system32\svchost.exe[2548] kernel32.dll!CreateProcessW 75C81C01 5 Bytes JMP 00200F30
.text C:\Windows\system32\svchost.exe[2548] kernel32.dll!CreateProcessA 75C81C36 5 Bytes JMP 00200F4B
.text C:\Windows\system32\svchost.exe[2548] kernel32.dll!VirtualProtect 75C81DD1 5 Bytes JMP 00200062
.text C:\Windows\system32\svchost.exe[2548] kernel32.dll!CreateNamedPipeW 75C85C44 5 Bytes JMP 00200FC0
.text C:\Windows\system32\svchost.exe[2548] kernel32.dll!LoadLibraryExW 75CA30C3 5 Bytes JMP 00200051
.text C:\Windows\system32\svchost.exe[2548] kernel32.dll!LoadLibraryW 75CA361F 5 Bytes JMP 00200F9E
.text C:\Windows\system32\svchost.exe[2548] kernel32.dll!VirtualProtectEx 75CA8D7E 5 Bytes JMP 0020007D
.text C:\Windows\system32\svchost.exe[2548] kernel32.dll!LoadLibraryExA 75CA9469 5 Bytes JMP 00200036
.text C:\Windows\system32\svchost.exe[2548] kernel32.dll!LoadLibraryA 75CA9491 5 Bytes JMP 00200FAF
.text C:\Windows\system32\svchost.exe[2548] kernel32.dll!CreatePipe 75CB0284 5 Bytes JMP 00200098
.text C:\Windows\system32\svchost.exe[2548] kernel32.dll!GetProcAddress 75CCB8B6 5 Bytes JMP 00200F15
.text C:\Windows\system32\svchost.exe[2548] kernel32.dll!CreateFileW 75CCCC4E 5 Bytes JMP 00200011
.text C:\Windows\system32\svchost.exe[2548] kernel32.dll!CreateFileA 75CCCF71 5 Bytes JMP 00200000
.text C:\Windows\system32\svchost.exe[2548] kernel32.dll!CreateNamedPipeA 75D141F6 5 Bytes JMP 00200FE5
.text C:\Windows\system32\svchost.exe[2548] kernel32.dll!WinExec 75D153E7 5 Bytes JMP 00200F5C
.text C:\Windows\system32\svchost.exe[2548] ADVAPI32.dll!RegCreateKeyExA 75DDB5E7 5 Bytes JMP 0033006C
.text C:\Windows\system32\svchost.exe[2548] ADVAPI32.dll!RegCreateKeyA 75DDB8AE 5 Bytes JMP 00330040
.text C:\Windows\system32\svchost.exe[2548] ADVAPI32.dll!RegOpenKeyA 75DE0BF5 5 Bytes JMP 00330FEF
.text C:\Windows\system32\svchost.exe[2548] ADVAPI32.dll!RegCreateKeyW 75DEB83D 5 Bytes JMP 0033005B
.text C:\Windows\system32\svchost.exe[2548] ADVAPI32.dll!RegCreateKeyExW 75DEBCE1 5 Bytes JMP 0033007D
.text C:\Windows\system32\svchost.exe[2548] ADVAPI32.dll!RegOpenKeyExA 75DED4E8 5 Bytes JMP 0033000A
.text C:\Windows\system32\svchost.exe[2548] ADVAPI32.dll!RegOpenKeyW 75DF3CB0 5 Bytes JMP 00330FD4
.text C:\Windows\system32\svchost.exe[2548] ADVAPI32.dll!RegOpenKeyExW 75DFF09D 5 Bytes JMP 0033002F
.text C:\Windows\system32\svchost.exe[2548] WS2_32.dll!socket 75E936D1 5 Bytes JMP 00340000
.text C:\Windows\System32\svchost.exe[2592] kernel32.dll!GetStartupInfoW 75C81929 5 Bytes JMP 00050076
.text C:\Windows\System32\svchost.exe[2592] kernel32.dll!GetStartupInfoA 75C819C9 5 Bytes JMP 00050F26
.text C:\Windows\System32\svchost.exe[2592] kernel32.dll!CreateProcessW 75C81C01 5 Bytes JMP 000500A9
.text C:\Windows\System32\svchost.exe[2592] kernel32.dll!CreateProcessA 75C81C36 5 Bytes JMP 00050098
.text C:\Windows\System32\svchost.exe[2592] kernel32.dll!VirtualProtect 75C81DD1 5 Bytes JMP 00050F77
.text C:\Windows\System32\svchost.exe[2592] kernel32.dll!CreateNamedPipeW 75C85C44 5 Bytes JMP 0005002C
.text C:\Windows\System32\svchost.exe[2592] kernel32.dll!LoadLibraryExW 75CA30C3 5 Bytes JMP 00050F88
.text C:\Windows\System32\svchost.exe[2592] kernel32.dll!LoadLibraryW 75CA361F 5 Bytes JMP 00050FB6
.text C:\Windows\System32\svchost.exe[2592] kernel32.dll!VirtualProtectEx 75CA8D7E 5 Bytes JMP 00050F5C
.text C:\Windows\System32\svchost.exe[2592] kernel32.dll!LoadLibraryExA 75CA9469 5 Bytes JMP 00050FA5
.text C:\Windows\System32\svchost.exe[2592] kernel32.dll!LoadLibraryA 75CA9491 5 Bytes JMP 0005003D
.text C:\Windows\System32\svchost.exe[2592] kernel32.dll!CreatePipe 75CB0284 5 Bytes JMP 00050F41
.text C:\Windows\System32\svchost.exe[2592] kernel32.dll!GetProcAddress 75CCB8B6 1 Byte [ E9 ]
.text C:\Windows\System32\svchost.exe[2592] kernel32.dll!GetProcAddress + 2 75CCB8B8 3 Bytes [ 47, 38, 8A ]
.text C:\Windows\System32\svchost.exe[2592] kernel32.dll!CreateFileW 75CCCC4E 5 Bytes JMP 0005000A
.text C:\Windows\System32\svchost.exe[2592] kernel32.dll!CreateFileA 75CCCF71 5 Bytes JMP 00050FEF
.text C:\Windows\System32\svchost.exe[2592] kernel32.dll!CreateNamedPipeA 75D141F6 5 Bytes JMP 0005001B
.text C:\Windows\System32\svchost.exe[2592] kernel32.dll!WinExec 75D153E7 5 Bytes JMP 00050087
.text C:\Windows\System32\svchost.exe[2592] ADVAPI32.dll!RegCreateKeyExA 75DDB5E7 5 Bytes JMP 00060F9E
.text C:\Windows\System32\svchost.exe[2592] ADVAPI32.dll!RegCreateKeyA 75DDB8AE 5 Bytes JMP 00060FAF
.text C:\Windows\System32\svchost.exe[2592] ADVAPI32.dll!RegOpenKeyA 75DE0BF5 5 Bytes JMP 00060FEF
.text C:\Windows\System32\svchost.exe[2592] ADVAPI32.dll!RegCreateKeyW 75DEB83D 5 Bytes JMP 00060036
.text C:\Windows\System32\svchost.exe[2592] ADVAPI32.dll!RegCreateKeyExW 75DEBCE1 5 Bytes JMP 00060F8D
.text C:\Windows\System32\svchost.exe[2592] ADVAPI32.dll!RegOpenKeyExA 75DED4E8 5 Bytes JMP 00060FD4
.text C:\Windows\System32\svchost.exe[2592] ADVAPI32.dll!RegOpenKeyW 75DF3CB0 5 Bytes JMP 0006000A
.text C:\Windows\System32\svchost.exe[2592] ADVAPI32.dll!RegOpenKeyExW 75DFF09D 5 Bytes JMP 00060025
.text C:\Windows\System32\svchost.exe[2592] WS2_32.dll!socket 75E936D1 5 Bytes JMP 000C0000
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2804] kernel32.dll!ExitProcess 75CA3B54 5 Bytes JMP 05052422 C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2804] USER32.dll!MessageBoxA 7702D619 5 Bytes JMP 050523CC C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2804] USER32.dll!MessageBoxW 7702D667 5 Bytes JMP 050523F7 C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
.text C:\Users\Chuck\Desktop\gmer\gmer.exe[3392] kernel32.dll!WriteFile + 6 75CCC90C 1 Byte [ CC ]
.text C:\Windows\System32\svchost.exe[4720] kernel32.dll!GetStartupInfoW 75C81929 5 Bytes JMP 00010F52
.text C:\Windows\System32\svchost.exe[4720] kernel32.dll!GetStartupInfoA 75C819C9 5 Bytes JMP 00010F63
.text C:\Windows\System32\svchost.exe[4720] kernel32.dll!CreateProcessW 75C81C01 5 Bytes JMP 000100BD
.text C:\Windows\System32\svchost.exe[4720] kernel32.dll!CreateProcessA 75C81C36 5 Bytes JMP 00010F30
.text C:\Windows\System32\svchost.exe[4720] kernel32.dll!VirtualProtect 75C81DD1 5 Bytes JMP 00010F99
.text C:\Windows\System32\svchost.exe[4720] kernel32.dll!CreateNamedPipeW 75C85C44 5 Bytes JMP 0001002C
.text C:\Windows\System32\svchost.exe[4720] kernel32.dll!LoadLibraryExW 75CA30C3 5 Bytes JMP 00010073
.text C:\Windows\System32\svchost.exe[4720] kernel32.dll!LoadLibraryW 75CA361F 5 Bytes JMP 00010FB6
.text C:\Windows\System32\svchost.exe[4720] kernel32.dll!VirtualProtectEx 75CA8D7E 5 Bytes JMP 0001008E
.text C:\Windows\System32\svchost.exe[4720] kernel32.dll!LoadLibraryExA 75CA9469 5 Bytes JMP 00010058
.text C:\Windows\System32\svchost.exe[4720] kernel32.dll!LoadLibraryA 75CA9491 5 Bytes JMP 0001003D
.text C:\Windows\System32\svchost.exe[4720] kernel32.dll!CreatePipe 75CB0284 5 Bytes JMP 00010F7E
.text C:\Windows\System32\svchost.exe[4720] kernel32.dll!GetProcAddress 75CCB8B6 5 Bytes JMP 00010F0B
.text C:\Windows\System32\svchost.exe[4720] kernel32.dll!CreateFileW 75CCCC4E 5 Bytes JMP 00010011
.text C:\Windows\System32\svchost.exe[4720] kernel32.dll!CreateFileA 75CCCF71 5 Bytes JMP 00010000
.text C:\Windows\System32\svchost.exe[4720] kernel32.dll!CreateNamedPipeA 75D141F6 5 Bytes JMP 00010FDB
.text C:\Windows\System32\svchost.exe[4720] kernel32.dll!WinExec 75D153E7 5 Bytes JMP 00010F41
.text C:\Windows\System32\svchost.exe[4720] ADVAPI32.dll!RegCreateKeyExA 75DDB5E7 5 Bytes JMP 000A0058
.text C:\Windows\System32\svchost.exe[4720] ADVAPI32.dll!RegCreateKeyA 75DDB8AE 5 Bytes JMP 000A0FC0
.text C:\Windows\System32\svchost.exe[4720] ADVAPI32.dll!RegOpenKeyA 75DE0BF5 5 Bytes JMP 000A0FEF
.text C:\Windows\System32\svchost.exe[4720] ADVAPI32.dll!RegCreateKeyW 75DEB83D 5 Bytes JMP 000A0047
.text C:\Windows\System32\svchost.exe[4720] ADVAPI32.dll!RegCreateKeyExW 75DEBCE1 5 Bytes JMP 000A0F9B
.text C:\Windows\System32\svchost.exe[4720] ADVAPI32.dll!RegOpenKeyExA 75DED4E8 5 Bytes JMP 000A001B
.text C:\Windows\System32\svchost.exe[4720] ADVAPI32.dll!RegOpenKeyW 75DF3CB0 5 Bytes JMP 000A000A
.text C:\Windows\System32\svchost.exe[4720] ADVAPI32.dll!RegOpenKeyExW 75DFF09D 5 Bytes JMP 000A0036
.text C:\Windows\System32\svchost.exe[4720] WS2_32.dll!socket 75E936D1 5 Bytes JMP 000B0FEF

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.14 ----





And here is the new DDS log




DDS (Ver_09-01-19.01) - NTFSx86
Run by Chuck at 3:31:17.91 on Sun 02/01/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2037.1073 [GMT -5:00]

AV: PC-cillin Internet Security - Virus Protection *On-access scanning enabled* (Outdated)
FW: PC-cillin Internet Security - Firewall *enabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\lxbkcoms.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Lexmark X1100 Series\LXBKbmgr.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Windows\System32\svchost.exe -k netsvcs
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Chuck\Desktop\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uWindow Title = Internet Explorer provided by Dell
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070809
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070809
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [lxbkbmgr.exe] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\windows\installer\{7f0c4457-8e64-491b-8d7b-991504365d1e}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============

R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2007-8-9 234496]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2007-8-9 7424]
R4 lxbk_device;lxbk_device;c:\windows\system32\lxbkcoms.exe -service --> c:\windows\system32\lxbkcoms.exe -service [?]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-8-8 29744]

=============== Created Last 30 ================

2009-02-01 02:30 235,859,103 a------- c:\windows\MEMORY.DMP
2009-02-01 02:25 250 a------- c:\windows\gmer.ini
2009-01-31 14:23 <DIR> --d----- C:\fsaua.data
2009-01-28 17:37 <DIR> --d----- c:\program files\FMS
2009-01-23 01:00 <DIR> --d----- c:\users\chuck\appdata\roaming\Malwarebytes
2009-01-23 01:00 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-23 01:00 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-23 01:00 <DIR> --d----- c:\programdata\Malwarebytes
2009-01-23 01:00 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-23 01:00 <DIR> --d----- c:\progra~2\Malwarebytes
2009-01-22 11:18 <DIR> --d----- c:\program files\CCleaner
2009-01-22 01:59 <DIR> --d----- c:\program files\a-squared Free

==================== Find3M ====================

2008-10-20 18:56 143,360 a------- c:\windows\inf\infstrng.dat
2008-10-20 18:56 86,016 a------- c:\windows\inf\infstor.dat
2008-10-20 18:56 51,200 a------- c:\windows\inf\infpub.dat
2008-10-02 23:19 174 a--sh--- c:\program files\desktop.ini
2008-10-02 23:05 665,600 a------- c:\windows\inf\drvindex.dat
2008-04-06 09:03 36,487,088 a------- c:\users\chuck\cjrX1100EN.exe
2006-11-02 07:39 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:39 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:39 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:39 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-08-08 16:29 76 ---shr-- c:\windows\CT4CET.bin
2008-10-25 07:19 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-10-25 07:19 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-10-25 07:19 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2007-08-09 00:09 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 3:32:07.36 ===============

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:44 PM

Posted 01 February 2009 - 12:20 PM

Hello.

If the older Javas won't uninstall, just install the new version on top of it. It won't be an issue.

Please tell me what symptoms of infection are present at the moment.

With Regards,
The Panda

#9 Dipstix6996

Dipstix6996
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 01 February 2009 - 03:14 PM

So far I am unable to uninstall java or install an update and I got an error message trying to install the java update.

Posted Image



I also can not install windows updates


Posted Image



Also, every now and then the screen has a black flicker and the tool bar changes from black (like the pix above) to white. I am also not allowed to do some functions with McAfee but i am going to install a fresh copy and see if the problem continues. Thats all i can think of for right now.

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:44 PM

Posted 01 February 2009 - 03:33 PM

Hello.

This issue does not appear to be caused by malware. Please start a topic in the Windows Vista forum relating to this issue. Include a link back to this topic.

With Regards,
The Panda

#11 Dipstix6996

Dipstix6996
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 02 February 2009 - 08:33 PM

Panda,

Thanks for all the help. I am starting a new topic as we speak (err, type)

#12 Dipstix6996

Dipstix6996
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 03 February 2009 - 06:40 PM

I found this on that laptop i was working on

C:\Users\Chuck\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\X4AC639H\NEWFUNC[1].0TM

My A-squared said it is a "Exploit.JS.Agent!IK"

Any idea what that is or what it can do?

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:44 PM

Posted 04 February 2009 - 08:25 AM

Hello.

That is temporary Internet file. They are picked up as you browse often and are mostly harmless.

This particular one is a Javascript embedded in a webpage. If you Java is up to date, it should not be a problem.

With Regards,
The Panda

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:44 PM

Posted 11 February 2009 - 04:05 PM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users