Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow computer, youtube videos won't load, probably a virus


  • This topic is locked This topic is locked
17 replies to this topic

#1 Mrparkers

Mrparkers

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 26 June 2009 - 04:38 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:28:42 PM, on 6/26/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP Bluetooth Laser Mobile Mouse\MulMouse.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Hewlett-Packard\HP Advisor\SSDK04.exe
C:\Users\Parker Family\Desktop\RuneScape.exe
C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Movie Maker\moviemk.exe
C:\Users\Parker Family\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Bluetooth Laser Mobile Mouse.lnk = C:\Program Files\HP Bluetooth Laser Mobile Mouse\MulMouse.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Vongo Tray.lnk = ?
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClient Control) - https://access.foley.com/dana-cached/sc/Jun...SetupClient.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2.2 - Unknown owner - C:\Users\Parker Family\Documents\DAH\~\My Server\474\xampp\apache\bin\apache.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Users\Parker Family\Documents\DAH\~\My Server\474\xampp\FileZillaFTP\FileZillaServer.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: mysql - Unknown owner - ~\My Server\474\xampp\mysql\bin\mysqld-nt.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SecureSrv - Unknown owner - C:\Program Files\Hide My IP 2008\SecureSrv.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TeamViewer 4 (TeamViewer4) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 14768 bytes


Thanks in advance

BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:38 AM

Posted 01 July 2009 - 10:02 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 Mrparkers

Mrparkers
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 01 July 2009 - 06:55 PM

Thanks a lot for the help _temp_


DDS (Ver_09-06-26.01) - NTFSx86
Run by Parker Family at 18:52:50.88 on Wed 07/01/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1982.1016 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Windows\system32\rundll32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP Bluetooth Laser Mobile Mouse\MulMouse.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Users\Parker Family\Desktop\RuneScape.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Parker Family\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\parker~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpblue~1.lnk - c:\program files\hp bluetooth laser mobile mouse\MulMouse.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vongot~1.lnk - c:\windows\installer\{8c3ae2d1-854d-4650-a73d-c7cc7ee36b80}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe
mPolicies-system: FilterAdministratorToken = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - hxxp://simcity.ea.com/update/EARTPX.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} - hxxp://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} - hxxp://messenger.zone.msn.com/binary/Chess.cab57176.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://access.foley.com/dana-cached/sc/JuniperSetupClient.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\parker~1\appdata\roaming\mozilla\firefox\profiles\q3o6izgh.default\
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_19.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");

============= SERVICES / DRIVERS ===============

R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-6-1 34064]

=============== Created Last 30 ================

2009-06-26 14:38 107,864 a------- c:\windows\system32\tsccvid.dll
2009-06-26 14:38 <DIR> --d----- c:\windows\system32\QuickTime
2009-06-26 14:37 <DIR> --d----- c:\program files\common files\TechSmith Shared
2009-06-18 17:08 <DIR> --d----- c:\users\parker~1\appdata\roaming\MozillaControl
2009-06-18 16:18 <DIR> --d----- c:\program files\Mozilla ActiveX Control v1.7.12
2009-06-18 16:18 <DIR> --d----- c:\program files\VideoLAN
2009-06-18 16:17 <DIR> --d----- c:\program files\Graboid
2009-06-09 11:54 <DIR> --d----- c:\users\parker~1\appdata\roaming\mIRC
2009-06-09 11:54 <DIR> --d----- c:\program files\mIRC
2009-06-03 20:48 <DIR> --d----- c:\program files\TweakWindow
2009-06-02 20:22 <DIR> --d----- c:\programdata\NCH Swift Sound
2009-06-02 20:22 <DIR> --d----- c:\program files\NCH Swift Sound
2009-06-02 20:18 <DIR> --d----- c:\program files\Audacity
2009-06-02 19:40 <DIR> --d----- c:\programdata\Sony
2009-06-02 19:39 <DIR> --d----- c:\program files\Sony
2009-06-02 19:24 <DIR> --d----- c:\users\parker family\SPANISH VIDEO AHHHHHH
2009-06-02 19:19 <DIR> --d----- c:\program files\3ivx

==================== Find3M ====================

2009-07-01 18:52 28,599 a------- c:\programdata\nvModes.dat
2009-07-01 18:52 28,599 a------- c:\progra~2\nvModes.dat
2009-06-29 14:31 1,537 a------- c:\windows\bthservsdp.dat
2009-05-23 07:50 31 a------- c:\users\parker family\jagex_runescape_preferences.dat
2009-04-20 18:32 51,200 a------- c:\windows\inf\infpub.dat
2009-04-20 18:32 143,360 a------- c:\windows\inf\infstrng.dat
2009-04-20 18:32 86,016 a------- c:\windows\inf\infstor.dat
2009-04-12 18:44 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-31 17:38 28,095 a------- c:\users\parker~1\appdata\roaming\nvModes.dat
2008-10-13 18:31 174 a--sh--- c:\program files\desktop.ini
2008-10-13 18:15 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-04-06 11:50 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-04-06 11:50 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-04-06 11:50 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 18:54:01.31 ===============

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:38 AM

Posted 03 July 2009 - 07:50 PM

Hi Mrparkers,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day then I will close the topic.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 Mrparkers

Mrparkers
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 03 July 2009 - 11:05 PM

Alright, thanks for the post m0le.

I've subscribed, haven't uninstalled anything, and heres my reply :thumbup2:

Thanks again for the help

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:38 AM

Posted 04 July 2009 - 06:02 AM

Hi Mrparkers,

The logs look clean but obviously that isn't necessarily the case.

Firstly,

The log shows that you have been using so called peer-to-peer or file-sharing programmes (in your case Limewire). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come a long way and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of their malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

Now onto the fix

Can you give me an idea of the sort of problems you are having with the PC.

Then can you download and run these two scanners.

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop, please rename it as gamer.exe.
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

And

We need to create an OTL Report
  • Please download OTL from the mirror:
    [http://oldtimer.geekstogo.com/OTL.exe]This is THE Mirror[/url]
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:[list]
    OTListIt.txt <-- Will be opened
    Extra.txt <-- Will be minimized
Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#7 Mrparkers

Mrparkers
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 06 July 2009 - 10:01 AM

Hi m0le,

Firstly, OTL didn't work. It stopped in the middle of the scan with this error:

Posted Image

I didn't get any logs from OTL at all.

GMER did work though, here is the log:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-04 14:10:14
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8D8659BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8D8659FC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8D865A3F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8D865930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8D865944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8D8659D2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8D865996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8D865A2B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8D865A12]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8D8659E8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8D865982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 8227218C 5 Bytes JMP 8D8659EC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[344] kernel32.dll!GetStartupInfoW 77101929 5 Bytes JMP 006C0F28
.text C:\Windows\system32\svchost.exe[344] kernel32.dll!GetStartupInfoA 771019C9 5 Bytes JMP 006C0F43
.text C:\Windows\system32\svchost.exe[344] kernel32.dll!CreateProcessW 77101C01 5 Bytes JMP 006C00A4
.text C:\Windows\system32\svchost.exe[344] kernel32.dll!CreateProcessA 77101C36 5 Bytes JMP 006C0089
.text C:\Windows\system32\svchost.exe[344] kernel32.dll!VirtualProtect 77101DD1 5 Bytes JMP 006C0F79
.text C:\Windows\system32\svchost.exe[344] kernel32.dll!CreateNamedPipeW 77105C44 5 Bytes JMP 006C0FB6
.text C:\Windows\system32\svchost.exe[344] kernel32.dll!LoadLibraryExW 771230C3 5 Bytes JMP 006C0F8A
.text C:\Windows\system32\svchost.exe[344] kernel32.dll!LoadLibraryW 7712361F 5 Bytes JMP 006C0036
.text C:\Windows\system32\svchost.exe[344] kernel32.dll!VirtualProtectEx 77128D7E 5 Bytes JMP 006C006E
.text C:\Windows\system32\svchost.exe[344] kernel32.dll!LoadLibraryExA 77129469 5 Bytes JMP 006C0047
.text C:\Windows\system32\svchost.exe[344] kernel32.dll!LoadLibraryA 77129491 5 Bytes JMP 006C0FA5
.text C:\Windows\system32\svchost.exe[344] kernel32.dll!CreatePipe 77130284 5 Bytes JMP 006C0F54
.text C:\Windows\system32\svchost.exe[344] kernel32.dll!GetProcAddress 7714B8B6 5 Bytes JMP 006C0EE8
.text C:\Windows\system32\svchost.exe[344] kernel32.dll!CreateFileW 7714CC4E 5 Bytes JMP 006C0011
.text C:\Windows\system32\svchost.exe[344] kernel32.dll!CreateFileA 7714CF71 5 Bytes JMP 006C0000
.text C:\Windows\system32\svchost.exe[344] kernel32.dll!CreateNamedPipeA 771941F6 5 Bytes JMP 006C0FDB
.text C:\Windows\system32\svchost.exe[344] kernel32.dll!WinExec 771953E7 5 Bytes JMP 006C0F0D
.text C:\Windows\system32\svchost.exe[344] msvcrt.dll!_wsystem 75B88A47 5 Bytes JMP 0014000C
.text C:\Windows\system32\svchost.exe[344] msvcrt.dll!system 75B88B63 5 Bytes JMP 00140F8B
.text C:\Windows\system32\svchost.exe[344] msvcrt.dll!_creat 75B8C6F1 5 Bytes JMP 00140FC1
.text C:\Windows\system32\svchost.exe[344] msvcrt.dll!_open 75B8DA7E 5 Bytes JMP 00140FEF
.text C:\Windows\system32\svchost.exe[344] msvcrt.dll!_wcreat 75B8DC9E 5 Bytes JMP 00140F9C
.text C:\Windows\system32\svchost.exe[344] msvcrt.dll!_wopen 75B8DE79 5 Bytes JMP 00140FDE
.text C:\Windows\system32\svchost.exe[344] ADVAPI32.dll!RegCreateKeyExA 76BFB5E7 5 Bytes JMP 006B0F86
.text C:\Windows\system32\svchost.exe[344] ADVAPI32.dll!RegCreateKeyA 76BFB8AE 5 Bytes JMP 006B0FA8
.text C:\Windows\system32\svchost.exe[344] ADVAPI32.dll!RegOpenKeyA 76C00BF5 5 Bytes JMP 006B0FEF
.text C:\Windows\system32\svchost.exe[344] ADVAPI32.dll!RegCreateKeyW 76C0B83D 5 Bytes JMP 006B0F97
.text C:\Windows\system32\svchost.exe[344] ADVAPI32.dll!RegCreateKeyExW 76C0BCE1 5 Bytes JMP 006B0F75
.text C:\Windows\system32\svchost.exe[344] ADVAPI32.dll!RegOpenKeyExA 76C0D4E8 5 Bytes JMP 006B0FD4
.text C:\Windows\system32\svchost.exe[344] ADVAPI32.dll!RegOpenKeyW 76C13CB0 5 Bytes JMP 006B000A
.text C:\Windows\system32\svchost.exe[344] ADVAPI32.dll!RegOpenKeyExW 76C1F09D 5 Bytes JMP 006B0FB9
.text C:\Windows\system32\svchost.exe[344] WS2_32.dll!socket 75C636D1 5 Bytes JMP 006A0000
.text C:\Windows\system32\services.exe[680] kernel32.dll!GetStartupInfoW 77101929 5 Bytes JMP 0009009F
.text C:\Windows\system32\services.exe[680] kernel32.dll!GetStartupInfoA 771019C9 5 Bytes JMP 00090084
.text C:\Windows\system32\services.exe[680] kernel32.dll!CreateProcessW 77101C01 5 Bytes JMP 00090F23
.text C:\Windows\system32\services.exe[680] kernel32.dll!CreateProcessA 77101C36 5 Bytes JMP 00090F34
.text C:\Windows\system32\services.exe[680] kernel32.dll!VirtualProtect 77101DD1 5 Bytes JMP 00090069
.text C:\Windows\system32\services.exe[680] kernel32.dll!CreateNamedPipeW 77105C44 5 Bytes JMP 0009001B
.text C:\Windows\system32\services.exe[680] kernel32.dll!LoadLibraryExW 771230C3 5 Bytes JMP 00090058
.text C:\Windows\system32\services.exe[680] kernel32.dll!LoadLibraryW 7712361F 5 Bytes JMP 0009002C
.text C:\Windows\system32\services.exe[680] kernel32.dll!VirtualProtectEx 77128D7E 5 Bytes JMP 00090F74
.text C:\Windows\system32\services.exe[680] kernel32.dll!LoadLibraryExA 77129469 5 Bytes JMP 00090047
.text C:\Windows\system32\services.exe[680] kernel32.dll!LoadLibraryA 77129491 5 Bytes JMP 00090FAF
.text C:\Windows\system32\services.exe[680] kernel32.dll!CreatePipe 77130284 5 Bytes JMP 00090F63
.text C:\Windows\system32\services.exe[680] kernel32.dll!GetProcAddress 7714B8B6 5 Bytes JMP 000900CB
.text C:\Windows\system32\services.exe[680] kernel32.dll!CreateFileW 7714CC4E 5 Bytes JMP 00090000
.text C:\Windows\system32\services.exe[680] kernel32.dll!CreateFileA 7714CF71 5 Bytes JMP 00090FE5
.text C:\Windows\system32\services.exe[680] kernel32.dll!CreateNamedPipeA 771941F6 5 Bytes JMP 00090FD4
.text C:\Windows\system32\services.exe[680] kernel32.dll!WinExec 771953E7 5 Bytes JMP 000900B0
.text C:\Windows\system32\services.exe[680] ADVAPI32.dll!RegCreateKeyExA 76BFB5E7 5 Bytes JMP 00080FB6
.text C:\Windows\system32\services.exe[680] ADVAPI32.dll!RegCreateKeyA 76BFB8AE 5 Bytes JMP 0008003D
.text C:\Windows\system32\services.exe[680] ADVAPI32.dll!RegOpenKeyA 76C00BF5 5 Bytes JMP 00080000
.text C:\Windows\system32\services.exe[680] ADVAPI32.dll!RegCreateKeyW 76C0B83D 5 Bytes JMP 00080058
.text C:\Windows\system32\services.exe[680] ADVAPI32.dll!RegCreateKeyExW 76C0BCE1 5 Bytes JMP 00080F9B
.text C:\Windows\system32\services.exe[680] ADVAPI32.dll!RegOpenKeyExA 76C0D4E8 5 Bytes JMP 00080011
.text C:\Windows\system32\services.exe[680] ADVAPI32.dll!RegOpenKeyW 76C13CB0 5 Bytes JMP 00080FDB
.text C:\Windows\system32\services.exe[680] ADVAPI32.dll!RegOpenKeyExW 76C1F09D 5 Bytes JMP 00080022
.text C:\Windows\system32\services.exe[680] msvcrt.dll!_wsystem 75B88A47 5 Bytes JMP 0006002E
.text C:\Windows\system32\services.exe[680] msvcrt.dll!system 75B88B63 5 Bytes JMP 00060FA3
.text C:\Windows\system32\services.exe[680] msvcrt.dll!_creat 75B8C6F1 5 Bytes JMP 00060FD2
.text C:\Windows\system32\services.exe[680] msvcrt.dll!_open 75B8DA7E 5 Bytes JMP 00060000
.text C:\Windows\system32\services.exe[680] msvcrt.dll!_wcreat 75B8DC9E 5 Bytes JMP 0006001D
.text C:\Windows\system32\services.exe[680] msvcrt.dll!_wopen 75B8DE79 5 Bytes JMP 00060FE3
.text C:\Windows\system32\services.exe[680] WS2_32.dll!socket 75C636D1 5 Bytes JMP 00070FEF
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!GetStartupInfoW 77101929 5 Bytes JMP 00290F0D
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!GetStartupInfoA 771019C9 5 Bytes JMP 00290F28
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!CreateProcessW 77101C01 5 Bytes JMP 00290ED7
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!CreateProcessA 77101C36 5 Bytes JMP 00290EE8
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!VirtualProtect 77101DD1 5 Bytes JMP 00290053
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!CreateNamedPipeW 77105C44 5 Bytes JMP 00290025
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!LoadLibraryExW 771230C3 5 Bytes JMP 00290F79
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!LoadLibraryW 7712361F 5 Bytes JMP 00290036
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!VirtualProtectEx 77128D7E 5 Bytes JMP 00290F5E
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!LoadLibraryExA 77129469 5 Bytes JMP 00290F8A
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!LoadLibraryA 77129491 5 Bytes JMP 00290FAF
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!CreatePipe 77130284 5 Bytes JMP 00290F4D
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!GetProcAddress 7714B8B6 5 Bytes JMP 0029007F
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!CreateFileW 7714CC4E 5 Bytes JMP 00290FE5
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!CreateFileA 7714CF71 5 Bytes JMP 00290000
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!CreateNamedPipeA 771941F6 5 Bytes JMP 00290FCA
.text C:\Windows\system32\svchost.exe[700] kernel32.dll!WinExec 771953E7 5 Bytes JMP 0029006E
.text C:\Windows\system32\svchost.exe[700] msvcrt.dll!_wsystem 75B88A47 5 Bytes JMP 00160FB9
.text C:\Windows\system32\svchost.exe[700] msvcrt.dll!system 75B88B63 5 Bytes JMP 0016004E
.text C:\Windows\system32\svchost.exe[700] msvcrt.dll!_creat 75B8C6F1 5 Bytes JMP 00160FEF
.text C:\Windows\system32\svchost.exe[700] msvcrt.dll!_open 75B8DA7E 5 Bytes JMP 0016000C
.text C:\Windows\system32\svchost.exe[700] msvcrt.dll!_wcreat 75B8DC9E 5 Bytes JMP 00160FDE
.text C:\Windows\system32\svchost.exe[700] msvcrt.dll!_wopen 75B8DE79 5 Bytes JMP 0016001D
.text C:\Windows\system32\svchost.exe[700] ADVAPI32.dll!RegCreateKeyExA 76BFB5E7 5 Bytes JMP 00280036
.text C:\Windows\system32\svchost.exe[700] ADVAPI32.dll!RegCreateKeyA 76BFB8AE 5 Bytes JMP 00280FA8
.text C:\Windows\system32\svchost.exe[700] ADVAPI32.dll!RegOpenKeyA 76C00BF5 5 Bytes JMP 00280FEF
.text C:\Windows\system32\svchost.exe[700] ADVAPI32.dll!RegCreateKeyW 76C0B83D 5 Bytes JMP 00280025
.text C:\Windows\system32\svchost.exe[700] ADVAPI32.dll!RegCreateKeyExW 76C0BCE1 5 Bytes JMP 00280F79
.text C:\Windows\system32\svchost.exe[700] ADVAPI32.dll!RegOpenKeyExA 76C0D4E8 5 Bytes JMP 0028000A
.text C:\Windows\system32\svchost.exe[700] ADVAPI32.dll!RegOpenKeyW 76C13CB0 5 Bytes JMP 00280FDE
.text C:\Windows\system32\svchost.exe[700] ADVAPI32.dll!RegOpenKeyExW 76C1F09D 5 Bytes JMP 00280FC3
.text C:\Windows\system32\lsass.exe[712] kernel32.dll!GetStartupInfoW 77101929 5 Bytes JMP 00A40F72
.text C:\Windows\system32\lsass.exe[712] kernel32.dll!GetStartupInfoA 771019C9 5 Bytes JMP 00A40F8D
.text C:\Windows\system32\lsass.exe[712] kernel32.dll!CreateProcessW 77101C01 5 Bytes JMP 00A400FF
.text C:\Windows\system32\lsass.exe[712] kernel32.dll!CreateProcessA 77101C36 5 Bytes JMP 00A400E4
.text C:\Windows\system32\lsass.exe[712] kernel32.dll!VirtualProtect 77101DD1 5 Bytes JMP 00A40FA8
.text C:\Windows\system32\lsass.exe[712] kernel32.dll!CreateNamedPipeW 77105C44 5 Bytes JMP 00A40FCA
.text C:\Windows\system32\lsass.exe[712] kernel32.dll!LoadLibraryExW 771230C3 5 Bytes JMP 00A40076
.text C:\Windows\system32\lsass.exe[712] kernel32.dll!LoadLibraryW 7712361F 5 Bytes JMP 00A40FB9
.text C:\Windows\system32\lsass.exe[712] kernel32.dll!VirtualProtectEx 77128D7E 5 Bytes JMP 00A400A7
.text C:\Windows\system32\lsass.exe[712] kernel32.dll!LoadLibraryExA 77129469 5 Bytes JMP 00A4005B
.text C:\Windows\system32\lsass.exe[712] kernel32.dll!LoadLibraryA 77129491 5 Bytes JMP 00A40040
.text C:\Windows\system32\lsass.exe[712] kernel32.dll!CreatePipe 77130284 5 Bytes JMP 00A400B8
.text C:\Windows\system32\lsass.exe[712] kernel32.dll!GetProcAddress 7714B8B6 5 Bytes JMP 00A40110
.text C:\Windows\system32\lsass.exe[712] kernel32.dll!CreateFileW 7714CC4E 5 Bytes JMP 00A40000
.text C:\Windows\system32\lsass.exe[712] kernel32.dll!CreateFileA 7714CF71 5 Bytes JMP 00A40FEF
.text C:\Windows\system32\lsass.exe[712] kernel32.dll!CreateNamedPipeA 771941F6 5 Bytes JMP 00A4001B
.text C:\Windows\system32\lsass.exe[712] kernel32.dll!WinExec 771953E7 5 Bytes JMP 00A400D3
.text C:\Windows\system32\lsass.exe[712] ADVAPI32.dll!RegCreateKeyExA 76BFB5E7 5 Bytes JMP 008E0F8A
.text C:\Windows\system32\lsass.exe[712] ADVAPI32.dll!RegCreateKeyA 76BFB8AE 5 Bytes JMP 008E0FB6
.text C:\Windows\system32\lsass.exe[712] ADVAPI32.dll!RegOpenKeyA 76C00BF5 5 Bytes JMP 008E0FEF
.text C:\Windows\system32\lsass.exe[712] ADVAPI32.dll!RegCreateKeyW 76C0B83D 5 Bytes JMP 008E0FA5
.text C:\Windows\system32\lsass.exe[712] ADVAPI32.dll!RegCreateKeyExW 76C0BCE1 5 Bytes JMP 008E0051
.text C:\Windows\system32\lsass.exe[712] ADVAPI32.dll!RegOpenKeyExA 76C0D4E8 5 Bytes JMP 008E001B
.text C:\Windows\system32\lsass.exe[712] ADVAPI32.dll!RegOpenKeyW 76C13CB0 5 Bytes JMP 008E0000
.text C:\Windows\system32\lsass.exe[712] ADVAPI32.dll!RegOpenKeyExW 76C1F09D 5 Bytes JMP 008E002C
.text C:\Windows\system32\lsass.exe[712] msvcrt.dll!_wsystem 75B88A47 5 Bytes JMP 0083005A
.text C:\Windows\system32\lsass.exe[712] msvcrt.dll!system 75B88B63 5 Bytes JMP 0083003F
.text C:\Windows\system32\lsass.exe[712] msvcrt.dll!_creat 75B8C6F1 5 Bytes JMP 0083002E
.text C:\Windows\system32\lsass.exe[712] msvcrt.dll!_open 75B8DA7E 5 Bytes JMP 00830000
.text C:\Windows\system32\lsass.exe[712] msvcrt.dll!_wcreat 75B8DC9E 5 Bytes JMP 00830FCF
.text C:\Windows\system32\lsass.exe[712] msvcrt.dll!_wopen 75B8DE79 5 Bytes JMP 0083001D
.text C:\Windows\system32\lsass.exe[712] WS2_32.dll!socket 75C636D1 5 Bytes JMP 008D0FE5
.text C:\Windows\system32\svchost.exe[892] kernel32.dll!GetStartupInfoW 77101929 5 Bytes JMP 007300B5
.text C:\Windows\system32\svchost.exe[892] kernel32.dll!GetStartupInfoA 771019C9 5 Bytes JMP 00730F65
.text C:\Windows\system32\svchost.exe[892] kernel32.dll!CreateProcessW 77101C01 5 Bytes JMP 007300EB
.text C:\Windows\system32\svchost.exe[892] kernel32.dll!CreateProcessA 77101C36 5 Bytes JMP 00730F54
.text C:\Windows\system32\svchost.exe[892] kernel32.dll!VirtualProtect 77101DD1 5 Bytes JMP 00730F9B
.text C:\Windows\system32\svchost.exe[892] kernel32.dll!CreateNamedPipeW 77105C44 5 Bytes JMP 00730FC0
.text C:\Windows\system32\svchost.exe[892] kernel32.dll!LoadLibraryExW 771230C3 5 Bytes JMP 00730069
.text C:\Windows\system32\svchost.exe[892] kernel32.dll!LoadLibraryW 7712361F 5 Bytes JMP 00730033
.text C:\Windows\system32\svchost.exe[892] kernel32.dll!VirtualProtectEx 77128D7E 5 Bytes JMP 0073009A
.text C:\Windows\system32\svchost.exe[892] kernel32.dll!LoadLibraryExA 77129469 5 Bytes JMP 00730058
.text C:\Windows\system32\svchost.exe[892] kernel32.dll!LoadLibraryA 77129491 5 Bytes JMP 00730022
.text C:\Windows\system32\svchost.exe[892] kernel32.dll!CreatePipe 77130284 5 Bytes JMP 00730F8A
.text C:\Windows\system32\svchost.exe[892] kernel32.dll!GetProcAddress 7714B8B6 5 Bytes JMP 007300FC
.text C:\Windows\system32\svchost.exe[892] kernel32.dll!CreateFileW 7714CC4E 5 Bytes JMP 00730011
.text C:\Windows\system32\svchost.exe[892] kernel32.dll!CreateFileA 7714CF71 5 Bytes JMP 00730000
.text C:\Windows\system32\svchost.exe[892] kernel32.dll!CreateNamedPipeA 771941F6 5 Bytes JMP 00730FD1
.text C:\Windows\system32\svchost.exe[892] kernel32.dll!WinExec 771953E7 5 Bytes JMP 007300D0
.text C:\Windows\system32\svchost.exe[892] msvcrt.dll!_wsystem 75B88A47 5 Bytes JMP 00700016
.text C:\Windows\system32\svchost.exe[892] msvcrt.dll!system 75B88B63 5 Bytes JMP 00700F8B
.text C:\Windows\system32\svchost.exe[892] msvcrt.dll!_creat 75B8C6F1 5 Bytes JMP 00700FB7
.text C:\Windows\system32\svchost.exe[892] msvcrt.dll!_open 75B8DA7E 5 Bytes JMP 00700FE3
.text C:\Windows\system32\svchost.exe[892] msvcrt.dll!_wcreat 75B8DC9E 5 Bytes JMP 00700FA6
.text C:\Windows\system32\svchost.exe[892] msvcrt.dll!_wopen 75B8DE79 5 Bytes JMP 00700FD2
.text C:\Windows\system32\svchost.exe[892] ADVAPI32.dll!RegCreateKeyExA 76BFB5E7 5 Bytes JMP 00720FAC
.text C:\Windows\system32\svchost.exe[892] ADVAPI32.dll!RegCreateKeyA 76BFB8AE 5 Bytes JMP 00720FBD
.text C:\Windows\system32\svchost.exe[892] ADVAPI32.dll!RegOpenKeyA 76C00BF5 5 Bytes JMP 00720000
.text C:\Windows\system32\svchost.exe[892] ADVAPI32.dll!RegCreateKeyW 76C0B83D 5 Bytes JMP 0072004E
.text C:\Windows\system32\svchost.exe[892] ADVAPI32.dll!RegCreateKeyExW 76C0BCE1 5 Bytes JMP 00720F9B
.text C:\Windows\system32\svchost.exe[892] ADVAPI32.dll!RegOpenKeyExA 76C0D4E8 5 Bytes JMP 00720022
.text C:\Windows\system32\svchost.exe[892] ADVAPI32.dll!RegOpenKeyW 76C13CB0 5 Bytes JMP 00720011
.text C:\Windows\system32\svchost.exe[892] ADVAPI32.dll!RegOpenKeyExW 76C1F09D 5 Bytes JMP 00720033
.text C:\Windows\system32\svchost.exe[892] WS2_32.dll!socket 75C636D1 5 Bytes JMP 00710FEF
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!GetStartupInfoW 77101929 5 Bytes JMP 008D0F81
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!GetStartupInfoA 771019C9 5 Bytes JMP 008D00BD
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!CreateProcessW 77101C01 5 Bytes JMP 008D0118
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!CreateProcessA 77101C36 5 Bytes JMP 008D0107
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!VirtualProtect 77101DD1 5 Bytes JMP 008D0087
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!CreateNamedPipeW 77105C44 5 Bytes JMP 008D0FDE
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!LoadLibraryExW 771230C3 5 Bytes JMP 008D0076
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!LoadLibraryW 7712361F 5 Bytes JMP 008D005B
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!VirtualProtectEx 77128D7E 5 Bytes JMP 008D0F92
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!LoadLibraryExA 77129469 5 Bytes JMP 008D0FC3
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!LoadLibraryA 77129491 5 Bytes JMP 008D0040
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!CreatePipe 77130284 5 Bytes JMP 008D00AC
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!GetProcAddress 7714B8B6 5 Bytes JMP 008D0F66
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!CreateFileW 7714CC4E 5 Bytes JMP 008D000A
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!CreateFileA 7714CF71 5 Bytes JMP 008D0FEF
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!CreateNamedPipeA 771941F6 5 Bytes JMP 008D002F
.text C:\Windows\system32\svchost.exe[968] kernel32.dll!WinExec 771953E7 5 Bytes JMP 008D00E2
.text C:\Windows\system32\svchost.exe[968] msvcrt.dll!_wsystem 75B88A47 5 Bytes JMP 001D0036
.text C:\Windows\system32\svchost.exe[968] msvcrt.dll!system 75B88B63 5 Bytes JMP 001D0FAB
.text C:\Windows\system32\svchost.exe[968] msvcrt.dll!_creat 75B8C6F1 5 Bytes JMP 001D0FBC
.text C:\Windows\system32\svchost.exe[968] msvcrt.dll!_open 75B8DA7E 5 Bytes JMP 001D0FE3
.text C:\Windows\system32\svchost.exe[968] msvcrt.dll!_wcreat 75B8DC9E 5 Bytes JMP 001D001B
.text C:\Windows\system32\svchost.exe[968] msvcrt.dll!_wopen 75B8DE79 5 Bytes JMP 001D0000
.text C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyExA 76BFB5E7 5 Bytes JMP 00880FCA
.text C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyA 76BFB8AE 5 Bytes JMP 00880051
.text C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyA 76C00BF5 5 Bytes JMP 00880FEF
.text C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyW 76C0B83D 5 Bytes JMP 00880062
.text C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyExW 76C0BCE1 5 Bytes JMP 00880087
.text C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyExA 76C0D4E8 5 Bytes JMP 0088001B
.text C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyW 76C13CB0 5 Bytes JMP 0088000A
.text C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyExW 76C1F09D 5 Bytes JMP 00880036
.text C:\Windows\system32\svchost.exe[968] WS2_32.dll!socket 75C636D1 5 Bytes JMP 00870FE5
.text C:\Windows\System32\svchost.exe[1120] kernel32.dll!GetStartupInfoW 77101929 5 Bytes JMP 007700C6
.text C:\Windows\System32\svchost.exe[1120] kernel32.dll!GetStartupInfoA 771019C9 5 Bytes JMP 00770F80
.text C:\Windows\System32\svchost.exe[1120] kernel32.dll!CreateProcessW 77101C01 5 Bytes JMP 00770117
.text C:\Windows\System32\svchost.exe[1120] kernel32.dll!CreateProcessA 77101C36 5 Bytes JMP 007700FC
.text C:\Windows\System32\svchost.exe[1120] kernel32.dll!VirtualProtect 77101DD1 5 Bytes JMP 0077009A
.text C:\Windows\System32\svchost.exe[1120] kernel32.dll!CreateNamedPipeW 77105C44 5 Bytes JMP 00770036
.text C:\Windows\System32\svchost.exe[1120] kernel32.dll!LoadLibraryExW 771230C3 5 Bytes JMP 00770FC0
.text C:\Windows\System32\svchost.exe[1120] kernel32.dll!LoadLibraryW 7712361F 5 Bytes JMP 00770062
.text C:\Windows\System32\svchost.exe[1120] kernel32.dll!VirtualProtectEx 77128D7E 5 Bytes JMP 007700B5
.text C:\Windows\System32\svchost.exe[1120] kernel32.dll!LoadLibraryExA 77129469 5 Bytes JMP 00770073
.text C:\Windows\System32\svchost.exe[1120] kernel32.dll!LoadLibraryA 77129491 5 Bytes JMP 00770051
.text C:\Windows\System32\svchost.exe[1120] kernel32.dll!CreatePipe 77130284 5 Bytes JMP 00770F9B
.text C:\Windows\System32\svchost.exe[1120] kernel32.dll!GetProcAddress 7714B8B6 5 Bytes JMP 00770F6F
.text C:\Windows\System32\svchost.exe[1120] kernel32.dll!CreateFileW 7714CC4E 5 Bytes JMP 00770000
.text C:\Windows\System32\svchost.exe[1120] kernel32.dll!CreateFileA 7714CF71 5 Bytes JMP 00770FEF
.text C:\Windows\System32\svchost.exe[1120] kernel32.dll!CreateNamedPipeA 771941F6 5 Bytes JMP 00770011
.text C:\Windows\System32\svchost.exe[1120] kernel32.dll!WinExec 771953E7 1 Byte [E9]
.text C:\Windows\System32\svchost.exe[1120] kernel32.dll!WinExec 771953E7 5 Bytes JMP 007700EB
.text C:\Windows\System32\svchost.exe[1120] msvcrt.dll!_wsystem 75B88A47 5 Bytes JMP 000E0055
.text C:\Windows\System32\svchost.exe[1120] msvcrt.dll!system 75B88B63 5 Bytes JMP 000E0044
.text C:\Windows\System32\svchost.exe[1120] msvcrt.dll!_creat 75B8C6F1 5 Bytes JMP 000E0029
.text C:\Windows\System32\svchost.exe[1120] msvcrt.dll!_open 75B8DA7E 5 Bytes JMP 000E0FEF
.text C:\Windows\System32\svchost.exe[1120] msvcrt.dll!_wcreat 75B8DC9E 5 Bytes JMP 000E0FD4
.text C:\Windows\System32\svchost.exe[1120] msvcrt.dll!_wopen 75B8DE79 5 Bytes JMP 000E0018
.text C:\Windows\System32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyExA 76BFB5E7 5 Bytes JMP 00110040
.text C:\Windows\System32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyA 76BFB8AE 5 Bytes JMP 00110FAF
.text C:\Windows\System32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyA 76C00BF5 5 Bytes JMP 00110FEF
.text C:\Windows\System32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyW 76C0B83D 5 Bytes JMP 00110F9E
.text C:\Windows\System32\svchost.exe[1120] ADVAPI32.dll!RegCreateKeyExW 76C0BCE1 5 Bytes JMP 0011005B
.text C:\Windows\System32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyExA 76C0D4E8 5 Bytes JMP 00110FD4
.text C:\Windows\System32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyW 76C13CB0 5 Bytes JMP 0011000A
.text C:\Windows\System32\svchost.exe[1120] ADVAPI32.dll!RegOpenKeyExW 76C1F09D 5 Bytes JMP 0011001B
.text C:\Windows\System32\svchost.exe[1120] WS2_32.dll!socket 75C636D1 5 Bytes JMP 00100FEF
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!GetStartupInfoW 77101929 5 Bytes JMP 009A009E
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!GetStartupInfoA 771019C9 5 Bytes JMP 009A0083
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreateProcessW 77101C01 5 Bytes JMP 009A0F07
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreateProcessA 77101C36 5 Bytes JMP 009A0F22
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!VirtualProtect 77101DD1 5 Bytes JMP 009A0F69
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreateNamedPipeW 77105C44 5 Bytes JMP 009A0FB9
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!LoadLibraryExW 771230C3 5 Bytes JMP 009A0F7A
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!LoadLibraryW 7712361F 5 Bytes JMP 009A0F97
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!VirtualProtectEx 77128D7E 5 Bytes JMP 009A0F58
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!LoadLibraryExA 77129469 5 Bytes JMP 009A0039
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!LoadLibraryA 77129491 5 Bytes JMP 009A0FA8
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreatePipe 77130284 5 Bytes JMP 009A0068
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!GetProcAddress 7714B8B6 5 Bytes JMP 009A0EF6
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreateFileW 7714CC4E 5 Bytes JMP 009A0000
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreateFileA 7714CF71 5 Bytes JMP 009A0FEF
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreateNamedPipeA 771941F6 5 Bytes JMP 009A0FD4
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!WinExec 771953E7 5 Bytes JMP 009A0F33
.text C:\Windows\System32\svchost.exe[1148] msvcrt.dll!_wsystem 75B88A47 5 Bytes JMP 00930067
.text C:\Windows\System32\svchost.exe[1148] msvcrt.dll!system 75B88B63 5 Bytes JMP 00930FD2
.text C:\Windows\System32\svchost.exe[1148] msvcrt.dll!_creat 75B8C6F1 5 Bytes JMP 00930027
.text C:\Windows\System32\svchost.exe[1148] msvcrt.dll!_open 75B8DA7E 5 Bytes JMP 00930FE3
.text C:\Windows\System32\svchost.exe[1148] msvcrt.dll!_wcreat 75B8DC9E 5 Bytes JMP 00930038
.text C:\Windows\System32\svchost.exe[1148] msvcrt.dll!_wopen 75B8DE79 5 Bytes JMP 00930000
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExA 76BFB5E7 5 Bytes JMP 00950FBD
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyA 76BFB8AE 5 Bytes JMP 00950044
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyA 76C00BF5 5 Bytes JMP 00950000
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyW 76C0B83D 5 Bytes JMP 00950055
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExW 76C0BCE1 5 Bytes JMP 00950084
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExA 76C0D4E8 5 Bytes JMP 00950022
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyW 76C13CB0 5 Bytes JMP 00950011
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExW 76C1F09D 5 Bytes JMP 00950033
.text C:\Windows\System32\svchost.exe[1148] WS2_32.dll!socket 75C636D1 5 Bytes JMP 00940000
.text C:\Windows\system32\svchost.exe[1192] kernel32.dll!GetStartupInfoW 77101929 5 Bytes JMP 00A70F1F
.text C:\Windows\system32\svchost.exe[1192] kernel32.dll!GetStartupInfoA 771019C9 5 Bytes JMP 00A70F3A
.text C:\Windows\system32\svchost.exe[1192] kernel32.dll!CreateProcessW 77101C01 5 Bytes JMP 00A70091
.text C:\Windows\system32\svchost.exe[1192] kernel32.dll!CreateProcessA 77101C36 5 Bytes JMP 00A70EFA
.text C:\Windows\system32\svchost.exe[1192] kernel32.dll!VirtualProtect 77101DD1 5 Bytes JMP 00A70F81
.text C:\Windows\system32\svchost.exe[1192] kernel32.dll!CreateNamedPipeW 77105C44 5 Bytes JMP 00A7000A
.text C:\Windows\system32\svchost.exe[1192] kernel32.dll!LoadLibraryExW 771230C3 5 Bytes JMP 00A7005B
.text C:\Windows\system32\svchost.exe[1192] kernel32.dll!LoadLibraryW 7712361F 5 Bytes JMP 00A70036
.text C:\Windows\system32\svchost.exe[1192] kernel32.dll!VirtualProtectEx 77128D7E 5 Bytes JMP 00A70F66
.text C:\Windows\system32\svchost.exe[1192] kernel32.dll!LoadLibraryExA 77129469 5 Bytes JMP 00A70F9E
.text C:\Windows\system32\svchost.exe[1192] kernel32.dll!LoadLibraryA 77129491 5 Bytes JMP 00A70025
.text C:\Windows\system32\svchost.exe[1192] kernel32.dll!CreatePipe 77130284 5 Bytes JMP 00A70F4B
.text C:\Windows\system32\svchost.exe[1192] kernel32.dll!GetProcAddress 7714B8B6 5 Bytes JMP 00A700A2
.text C:\Windows\system32\svchost.exe[1192] kernel32.dll!CreateFileW 7714CC4E 5 Bytes JMP 00A70FD4
.text C:\Windows\system32\svchost.exe[1192] kernel32.dll!CreateFileA 7714CF71 5 Bytes JMP 00A70FE5
.text C:\Windows\system32\svchost.exe[1192] kernel32.dll!CreateNamedPipeA 771941F6 5 Bytes JMP 00A70FB9
.text C:\Windows\system32\svchost.exe[1192] kernel32.dll!WinExec 771953E7 5 Bytes JMP 00A70080
.text C:\Windows\system32\svchost.exe[1192] msvcrt.dll!_wsystem 75B88A47 5 Bytes JMP 00930FAB
.text C:\Windows\system32\svchost.exe[1192] msvcrt.dll!system 75B88B63 5 Bytes JMP 00930FBC
.text C:\Windows\system32\svchost.exe[1192] msvcrt.dll!_creat 75B8C6F1 5 Bytes JMP 00930011
.text C:\Windows\system32\svchost.exe[1192] msvcrt.dll!_open 75B8DA7E 5 Bytes JMP 00930000
.text C:\Windows\system32\svchost.exe[1192] msvcrt.dll!_wcreat 75B8DC9E 5 Bytes JMP 0093002C
.text C:\Windows\system32\svchost.exe[1192] msvcrt.dll!_wopen 75B8DE79 5 Bytes JMP 00930FD7
.text C:\Windows\system32\svchost.exe[1192] ADVAPI32.dll!RegCreateKeyExA 76BFB5E7 5 Bytes JMP 00960062
.text C:\Windows\system32\svchost.exe[1192] ADVAPI32.dll!RegCreateKeyA 76BFB8AE 5 Bytes JMP 00960036
.text C:\Windows\system32\svchost.exe[1192] ADVAPI32.dll!RegOpenKeyA 76C00BF5 5 Bytes JMP 00960FEF
.text C:\Windows\system32\svchost.exe[1192] ADVAPI32.dll!RegCreateKeyW 76C0B83D 5 Bytes JMP 00960051
.text C:\Windows\system32\svchost.exe[1192] ADVAPI32.dll!RegCreateKeyExW 76C0BCE1 5 Bytes JMP 00960FA5
.text C:\Windows\system32\svchost.exe[1192] ADVAPI32.dll!RegOpenKeyExA 76C0D4E8 5 Bytes JMP 00960000
.text C:\Windows\system32\svchost.exe[1192] ADVAPI32.dll!RegOpenKeyW 76C13CB0 5 Bytes JMP 00960FD4
.text C:\Windows\system32\svchost.exe[1192] ADVAPI32.dll!RegOpenKeyExW 76C1F09D 5 Bytes JMP 00960025
.text C:\Windows\system32\svchost.exe[1192] WS2_32.dll!socket 75C636D1 5 Bytes JMP 00940FEF
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!GetStartupInfoW 77101929 5 Bytes JMP 00E70F35
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!GetStartupInfoA 771019C9 5 Bytes JMP 00E70F50
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!CreateProcessW 77101C01 5 Bytes JMP 00E70F06
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!CreateProcessA 77101C36 5 Bytes JMP 00E700A7
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!VirtualProtect 77101DD1 5 Bytes JMP 00E70F83
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!CreateNamedPipeW 77105C44 5 Bytes JMP 00E70025
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!LoadLibraryExW 771230C3 5 Bytes JMP 00E70F94
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!LoadLibraryW 7712361F 5 Bytes JMP 00E70036
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!VirtualProtectEx 77128D7E 5 Bytes JMP 00E70F72
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!LoadLibraryExA 77129469 5 Bytes JMP 00E70047
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!LoadLibraryA 77129491 5 Bytes JMP 00E70FB9
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!CreatePipe 77130284 5 Bytes JMP 00E70F61
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!GetProcAddress 7714B8B6 5 Bytes JMP 00E700B8
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!CreateFileW 7714CC4E 5 Bytes JMP 00E70FEF
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!CreateFileA 7714CF71 5 Bytes JMP 00E70000
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!CreateNamedPipeA 771941F6 5 Bytes JMP 00E70FD4
.text C:\Windows\system32\svchost.exe[1324] kernel32.dll!WinExec 771953E7 5 Bytes JMP 00E70096
.text C:\Windows\system32\svchost.exe[1324] msvcrt.dll!_wsystem 75B88A47 5 Bytes JMP 00100038
.text C:\Windows\system32\svchost.exe[1324] msvcrt.dll!system 75B88B63 5 Bytes JMP 00100FB7
.text C:\Windows\system32\svchost.exe[1324] msvcrt.dll!_creat 75B8C6F1 5 Bytes JMP 0010001D
.text C:\Windows\system32\svchost.exe[1324] msvcrt.dll!_open 75B8DA7E 5 Bytes JMP 00100FEF
.text C:\Windows\system32\svchost.exe[1324] msvcrt.dll!_wcreat 75B8DC9E 5 Bytes JMP 00100FC8
.text C:\Windows\system32\svchost.exe[1324] msvcrt.dll!_wopen 75B8DE79 5 Bytes JMP 00100000
.text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyExA 76BFB5E7 5 Bytes JMP 00A10033
.text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyA 76BFB8AE 5 Bytes JMP 00A10022
.text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyA 76C00BF5 5 Bytes JMP 00A10000
.text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyW 76C0B83D 5 Bytes JMP 00A10F9B
.text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!RegCreateKeyExW 76C0BCE1 5 Bytes JMP 00A10F76
.text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyExA 76C0D4E8 5 Bytes JMP 00A10011
.text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyW 76C13CB0 5 Bytes JMP 00A10FE5
.text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!RegOpenKeyExW 76C1F09D 5 Bytes JMP 00A10FC0
.text C:\Windows\system32\svchost.exe[1324] WS2_32.dll!socket 75C636D1 5 Bytes JMP 009F0000
.text C:\Windows\system32\svchost.exe[1324] WinInet.dll!InternetOpenA 76B303DD 5 Bytes JMP 00A00FEF
.text C:\Windows\system32\svchost.exe[1324] WinInet.dll!InternetOpenUrlA 76B320A3 5 Bytes JMP 00A0001B
.text C:\Windows\system32\svchost.exe[1324] WinInet.dll!InternetOpenW 76B32A58 5 Bytes JMP 00A0000A
.text C:\Windows\system32\svchost.exe[1324] WinInet.dll!InternetOpenUrlW 76B7AF79 5 Bytes JMP 00A00040
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1552] kernel32.dll!LoadLibraryW 7712361F 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1552] kernel32.dll!LoadLibraryA 77129491 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!GetStartupInfoW 77101929 5 Bytes JMP 008B0F6D
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!GetStartupInfoA 771019C9 5 Bytes JMP 008B0F7E
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!CreateProcessW 77101C01 5 Bytes JMP 008B00F3
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!CreateProcessA 77101C36 5 Bytes JMP 008B0F5C
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!VirtualProtect 77101DD1 5 Bytes JMP 008B0098
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!CreateNamedPipeW 77105C44 5 Bytes JMP 008B0FE5
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!LoadLibraryExW 771230C3 5 Bytes JMP 008B0087
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!LoadLibraryW 7712361F 5 Bytes JMP 008B006C
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!VirtualProtectEx 77128D7E 5 Bytes JMP 008B0F99
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!LoadLibraryExA 77129469 5 Bytes JMP 008B0FCA
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!LoadLibraryA 77129491 5 Bytes JMP 008B0051
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!CreatePipe 77130284 5 Bytes JMP 008B00A9
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!GetProcAddress 7714B8B6 5 Bytes JMP 008B0F41
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!CreateFileW 7714CC4E 5 Bytes JMP 008B0011
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!CreateFileA 7714CF71 5 Bytes JMP 008B0000
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!CreateNamedPipeA 771941F6 5 Bytes JMP 008B0036
.text C:\Windows\system32\svchost.exe[1564] kernel32.dll!WinExec 771953E7 5 Bytes JMP 008B00CE
.text C:\Windows\system32\svchost.exe[1564] msvcrt.dll!_wsystem 75B88A47 5 Bytes JMP 00840FB7
.text C:\Windows\system32\svchost.exe[1564] msvcrt.dll!system 75B88B63 5 Bytes JMP 00840038
.text C:\Windows\system32\svchost.exe[1564] msvcrt.dll!_creat 75B8C6F1 5 Bytes JMP 00840027
.text C:\Windows\system32\svchost.exe[1564] msvcrt.dll!_open 75B8DA7E 5 Bytes JMP 00840000
.text C:\Windows\system32\svchost.exe[1564] msvcrt.dll!_wcreat 75B8DC9E 5 Bytes JMP 00840FC8
.text C:\Windows\system32\svchost.exe[1564] msvcrt.dll!_wopen 75B8DE79 5 Bytes JMP 00840FE3
.text C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyExA 76BFB5E7 5 Bytes JMP 008A006C
.text C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyA 76BFB8AE 5 Bytes JMP 008A004A
.text C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyA 76C00BF5 5 Bytes JMP 008A000A
.text C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyW 76C0B83D 5 Bytes JMP 008A005B
.text C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegCreateKeyExW 76C0BCE1 5 Bytes JMP 008A0FA5
.text C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyExA 76C0D4E8 5 Bytes JMP 008A0FDE
.text C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyW 76C13CB0 5 Bytes JMP 008A0FEF
.text C:\Windows\system32\svchost.exe[1564] ADVAPI32.dll!RegOpenKeyExW 76C1F09D 5 Bytes JMP 008A0039
.text C:\Windows\system32\svchost.exe[1564] WS2_32.dll!socket 75C636D1 5 Bytes JMP 00890FEF
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!GetStartupInfoW 77101929 5 Bytes JMP 00CD00C9
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!GetStartupInfoA 771019C9 5 Bytes JMP 00CD0F8D
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!CreateProcessW 77101C01 5 Bytes JMP 00CD0F57
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!CreateProcessA 77101C36 5 Bytes JMP 00CD00EE
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!VirtualProtect 77101DD1 5 Bytes JMP 00CD0FA8
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!CreateNamedPipeW 77105C44 5 Bytes JMP 00CD0040
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!LoadLibraryExW 771230C3 5 Bytes JMP 00CD0076
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!LoadLibraryW 7712361F 5 Bytes JMP 00CD0FDE
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!VirtualProtectEx 77128D7E 5 Bytes JMP 00CD009D
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!LoadLibraryExA 77129469 5 Bytes JMP 00CD0FC3
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!LoadLibraryA 77129491 5 Bytes JMP 00CD0065
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!CreatePipe 77130284 5 Bytes JMP 00CD00AE
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!GetProcAddress 7714B8B6 5 Bytes JMP 00CD0F3C
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!CreateFileW 7714CC4E 5 Bytes JMP 00CD0FEF
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!CreateFileA 7714CF71 5 Bytes JMP 00CD0000
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!CreateNamedPipeA 771941F6 5 Bytes JMP 00CD0025
.text C:\Windows\system32\svchost.exe[1848] kernel32.dll!WinExec 771953E7 5 Bytes JMP 00CD0F68
.text C:\Windows\system32\svchost.exe[1848] msvcrt.dll!_wsystem 75B88A47 5 Bytes JMP 00AD0F8B
.text C:\Windows\system32\svchost.exe[1848] msvcrt.dll!system 75B88B63 5 Bytes JMP 00AD0F9C
.text C:\Windows\system32\svchost.exe[1848] msvcrt.dll!_creat 75B8C6F1 5 Bytes JMP 00AD0FD2
.text C:\Windows\system32\svchost.exe[1848] msvcrt.dll!_open 75B8DA7E 5 Bytes JMP 00AD0FEF
.text C:\Windows\system32\svchost.exe[1848] msvcrt.dll!_wcreat 75B8DC9E 5 Bytes JMP 00AD0FB7
.text C:\Windows\system32\svchost.exe[1848] msvcrt.dll!_wopen 75B8DE79 5 Bytes JMP 00AD000C
.text C:\Windows\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyExA 76BFB5E7 5 Bytes JMP 00CC0FA5
.text C:\Windows\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyA 76BFB8AE 5 Bytes JMP 00CC0FDB
.text C:\Windows\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyA 76C00BF5 5 Bytes JMP 00CC0000
.text C:\Windows\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyW 76C0B83D 5 Bytes JMP 00CC0FC0
.text C:\Windows\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyExW 76C0BCE1 5 Bytes JMP 00CC0F94
.text C:\Windows\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyExA 76C0D4E8 5 Bytes JMP 00CC002C
.text C:\Windows\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyW 76C13CB0 5 Bytes JMP 00CC0011
.text C:\Windows\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyExW 76C1F09D 5 Bytes JMP 00CC003D
.text C:\Windows\system32\svchost.exe[1848] WS2_32.dll!socket 75C636D1 5 Bytes JMP 00AF0000
.text C:\Windows\System32\svchost.exe[2144] kernel32.dll!GetStartupInfoW 77101929 5 Bytes JMP 00290078
.text C:\Windows\System32\svchost.exe[2144] kernel32.dll!GetStartupInfoA 771019C9 5 Bytes JMP 00290F32
.text C:\Windows\System32\svchost.exe[2144] kernel32.dll!CreateProcessW 77101C01 5 Bytes JMP 002900A4
.text C:\Windows\System32\svchost.exe[2144] kernel32.dll!CreateProcessA 77101C36 5 Bytes JMP 00290F17
.text C:\Windows\System32\svchost.exe[2144] kernel32.dll!VirtualProtect 77101DD1 5 Bytes JMP 00290F6F
.text C:\Windows\System32\svchost.exe[2144] kernel32.dll!CreateNamedPipeW 77105C44 5 Bytes JMP 00290FB6
.text C:\Windows\System32\svchost.exe[2144] kernel32.dll!LoadLibraryExW 771230C3 5 Bytes JMP 00290049
.text C:\Windows\System32\svchost.exe[2144] kernel32.dll!LoadLibraryW 7712361F 5 Bytes JMP 00290F80
.text C:\Windows\System32\svchost.exe[2144] kernel32.dll!VirtualProtectEx 77128D7E 5 Bytes JMP 00290F5E
.text C:\Windows\System32\svchost.exe[2144] kernel32.dll!LoadLibraryExA 77129469 5 Bytes JMP 00290022
.text C:\Windows\System32\svchost.exe[2144] kernel32.dll!LoadLibraryA 77129491 5 Bytes JMP 00290FA5
.text C:\Windows\System32\svchost.exe[2144] kernel32.dll!CreatePipe 77130284 5 Bytes JMP 00290F4D
.text C:\Windows\System32\svchost.exe[2144] kernel32.dll!GetProcAddress 7714B8B6 5 Bytes JMP 00290EE8
.text C:\Windows\System32\svchost.exe[2144] kernel32.dll!CreateFileW 7714CC4E 5 Bytes JMP 00290000
.text C:\Windows\System32\svchost.exe[2144] kernel32.dll!CreateFileA 7714CF71 5 Bytes JMP 00290FEF
.text C:\Windows\System32\svchost.exe[2144] kernel32.dll!CreateNamedPipeA 771941F6 5 Bytes JMP 00290011
.text C:\Windows\System32\svchost.exe[2144] kernel32.dll!WinExec 771953E7 5 Bytes JMP 00290093
.text C:\Windows\System32\svchost.exe[2144] msvcrt.dll!_wsystem 75B88A47 5 Bytes JMP 00260075
.text C:\Windows\System32\svchost.exe[2144] msvcrt.dll!system 75B88B63 5 Bytes JMP 0026005A
.text C:\Windows\System32\svchost.exe[2144] msvcrt.dll!_creat 75B8C6F1 5 Bytes JMP 0026002E
.text C:\Windows\System32\svchost.exe[2144] msvcrt.dll!_open 75B8DA7E 5 Bytes JMP 00260000
.text C:\Windows\System32\svchost.exe[2144] msvcrt.dll!_wcreat 75B8DC9E 5 Bytes JMP 00260049
.text C:\Windows\System32\svchost.exe[2144] msvcrt.dll!_wopen 75B8DE79 5 Bytes JMP 0026001D
.text C:\Windows\System32\svchost.exe[2144] ADVAPI32.dll!RegCreateKeyExA 76BFB5E7 5 Bytes JMP 00280F9A
.text C:\Windows\System32\svchost.exe[2144] ADVAPI32.dll!RegCreateKeyA 76BFB8AE 5 Bytes JMP 00280028
.text C:\Windows\System32\svchost.exe[2144] ADVAPI32.dll!RegOpenKeyA 76C00BF5 5 Bytes JMP 00280FEF
.text C:\Windows\System32\svchost.exe[2144] ADVAPI32.dll!RegCreateKeyW 76C0B83D 5 Bytes JMP 00280FAB
.text C:\Windows\System32\svchost.exe[2144] ADVAPI32.dll!RegCreateKeyExW 76C0BCE1 5 Bytes JMP 00280F7F
.text C:\Windows\System32\svchost.exe[2144] ADVAPI32.dll!RegOpenKeyExA 76C0D4E8 5 Bytes JMP 00280FCD
.text C:\Windows\System32\svchost.exe[2144] ADVAPI32.dll!RegOpenKeyW 76C13CB0 5 Bytes JMP 00280FDE
.text C:\Windows\System32\svchost.exe[2144] ADVAPI32.dll!RegOpenKeyExW 76C1F09D 5 Bytes JMP 00280FBC
.text C:\Windows\System32\svchost.exe[2144] WS2_32.dll!socket 75C636D1 5 Bytes JMP 00270000
.text C:\Windows\system32\svchost.exe[2240] kernel32.dll!GetStartupInfoW 77101929 5 Bytes JMP 007400AE
.text C:\Windows\system32\svchost.exe[2240] kernel32.dll!GetStartupInfoA 771019C9 5 Bytes JMP 00740F68
.text C:\Windows\system32\svchost.exe[2240] kernel32.dll!CreateProcessW 77101C01 5 Bytes JMP 007400EB
.text C:\Windows\system32\svchost.exe[2240] kernel32.dll!CreateProcessA 77101C36 5 Bytes JMP 007400D0
.text C:\Windows\system32\svchost.exe[2240] kernel32.dll!VirtualProtect 77101DD1 5 Bytes JMP 00740093
.text C:\Windows\system32\svchost.exe[2240] kernel32.dll!CreateNamedPipeW 77105C44 5 Bytes JMP 00740025
.text C:\Windows\system32\svchost.exe[2240] kernel32.dll!LoadLibraryExW 771230C3 5 Bytes JMP 00740076
.text C:\Windows\system32\svchost.exe[2240] kernel32.dll!LoadLibraryW 7712361F 5 Bytes JMP 0074004A
.text C:\Windows\system32\svchost.exe[2240] kernel32.dll!VirtualProtectEx 77128D7E 5 Bytes JMP 00740F9E
.text C:\Windows\system32\svchost.exe[2240] kernel32.dll!LoadLibraryExA 77129469 5 Bytes JMP 00740065
.text C:\Windows\system32\svchost.exe[2240] kernel32.dll!LoadLibraryA 77129491 5 Bytes JMP 00740FB9
.text C:\Windows\system32\svchost.exe[2240] kernel32.dll!CreatePipe 77130284 5 Bytes JMP 00740F83
.text C:\Windows\system32\svchost.exe[2240] kernel32.dll!GetProcAddress 7714B8B6 5 Bytes JMP 00740106
.text C:\Windows\system32\svchost.exe[2240] kernel32.dll!CreateFileW 7714CC4E 5 Bytes JMP 0074000A
.text C:\Windows\system32\svchost.exe[2240] kernel32.dll!CreateFileA 7714CF71 5 Bytes JMP 00740FEF
.text C:\Windows\system32\svchost.exe[2240] kernel32.dll!CreateNamedPipeA 771941F6 5 Bytes JMP 00740FD4
.text C:\Windows\system32\svchost.exe[2240] kernel32.dll!WinExec 771953E7 5 Bytes JMP 007400BF
.text C:\Windows\system32\svchost.exe[2240] msvcrt.dll!_wsystem 75B88A47 5 Bytes JMP 00210F9C
.text C:\Windows\system32\svchost.exe[2240] msvcrt.dll!system 75B88B63 5 Bytes JMP 00210031
.text C:\Windows\system32\svchost.exe[2240] msvcrt.dll!_creat 75B8C6F1 5 Bytes JMP 00210FC1
.text C:\Windows\system32\svchost.exe[2240] msvcrt.dll!_open 75B8DA7E 5 Bytes JMP 00210FEF
.text C:\Windows\system32\svchost.exe[2240] msvcrt.dll!_wcreat 75B8DC9E 5 Bytes JMP 00210020
.text C:\Windows\system32\svchost.exe[2240] msvcrt.dll!_wopen 75B8DE79 5 Bytes JMP 00210FDE
.text C:\Windows\system32\svchost.exe[2240] ADVAPI32.dll!RegCreateKeyExA 76BFB5E7 5 Bytes JMP 00730069
.text C:\Windows\system32\svchost.exe[2240] ADVAPI32.dll!RegCreateKeyA 76BFB8AE 5 Bytes JMP 0073004E
.text C:\Windows\system32\svchost.exe[2240] ADVAPI32.dll!RegOpenKeyA 76C00BF5 5 Bytes JMP 00730000
.text C:\Windows\system32\svchost.exe[2240] ADVAPI32.dll!RegCreateKeyW 76C0B83D 5 Bytes JMP 00730FC7
.text C:\Windows\system32\svchost.exe[2240] ADVAPI32.dll!RegCreateKeyExW 76C0BCE1 5 Bytes JMP 0073007A
.text C:\Windows\system32\svchost.exe[2240] ADVAPI32.dll!RegOpenKeyExA 76C0D4E8 5 Bytes JMP 00730022
.text C:\Windows\system32\svchost.exe[2240] ADVAPI32.dll!RegOpenKeyW 76C13CB0 5 Bytes JMP 00730011
.text C:\Windows\system32\svchost.exe[2240] ADVAPI32.dll!RegOpenKeyExW 76C1F09D 5 Bytes JMP 0073003D
.text C:\Windows\system32\svchost.exe[2240] WS2_32.dll!socket 75C636D1 5 Bytes JMP 006D000A
.text C:\Windows\system32\svchost.exe[2292] kernel32.dll!GetStartupInfoW 77101929 5 Bytes JMP 009000B8
.text C:\Windows\system32\svchost.exe[2292] kernel32.dll!GetStartupInfoA 771019C9 5 Bytes JMP 009000A7
.text C:\Windows\system32\svchost.exe[2292] kernel32.dll!CreateProcessW 77101C01 5 Bytes JMP 00900F2B
.text C:\Windows\system32\svchost.exe[2292] kernel32.dll!CreateProcessA 77101C36 5 Bytes JMP 00900F46
.text C:\Windows\system32\svchost.exe[2292] kernel32.dll!VirtualProtect 77101DD1 5 Bytes JMP 00900071
.text C:\Windows\system32\svchost.exe[2292] kernel32.dll!CreateNamedPipeW 77105C44 5 Bytes JMP 00900014
.text C:\Windows\system32\svchost.exe[2292] kernel32.dll!LoadLibraryExW 771230C3 5 Bytes JMP 0090004A
.text C:\Windows\system32\svchost.exe[2292] kernel32.dll!LoadLibraryW 7712361F 5 Bytes JMP 00900FA8
.text C:\Windows\system32\svchost.exe[2292] kernel32.dll!VirtualProtectEx 77128D7E 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[2292] kernel32.dll!VirtualProtectEx 77128D7E 5 Bytes JMP 00900082
.text C:\Windows\system32\svchost.exe[2292] kernel32.dll!LoadLibraryExA 77129469 5 Bytes JMP 00900F97
.text C:\Windows\system32\svchost.exe[2292] kernel32.dll!LoadLibraryA 77129491 5 Bytes JMP 00900025
.text C:\Windows\system32\svchost.exe[2292] kernel32.dll!CreatePipe 77130284 5 Bytes JMP 00900F7C
.text C:\Windows\system32\svchost.exe[2292] kernel32.dll!GetProcAddress 7714B8B6 5 Bytes JMP 009000DD
.text C:\Windows\system32\svchost.exe[2292] kernel32.dll!CreateFileW 7714CC4E 5 Bytes JMP 00900FDE
.text C:\Windows\system32\svchost.exe[2292] kernel32.dll!CreateFileA 7714CF71 5 Bytes JMP 00900FEF
.text C:\Windows\system32\svchost.exe[2292] kernel32.dll!CreateNamedPipeA 771941F6 5 Bytes JMP 00900FCD
.text C:\Windows\system32\svchost.exe[2292] kernel32.dll!WinExec 771953E7 5 Bytes JMP 00900F61
.text C:\Windows\system32\svchost.exe[2292] msvcrt.dll!_wsystem 75B88A47 5 Bytes JMP 008C0038
.text C:\Windows\system32\svchost.exe[2292] msvcrt.dll!system 75B88B63 5 Bytes JMP 008C0FAD
.text C:\Windows\system32\svchost.exe[2292] msvcrt.dll!_creat 75B8C6F1 5 Bytes JMP 008C0FD9
.text C:\Windows\system32\svchost.exe[2292] msvcrt.dll!_open 75B8DA7E 5 Bytes JMP 008C000C
.text C:\Windows\system32\svchost.exe[2292] msvcrt.dll!_wcreat 75B8DC9E 5 Bytes JMP 008C0FC8
.text C:\Windows\system32\svchost.exe[2292] msvcrt.dll!_wopen 75B8DE79 5 Bytes JMP 008C001D
.text C:\Windows\system32\svchost.exe[2292] ADVAPI32.dll!RegCreateKeyExA 76BFB5E7 5 Bytes JMP 008F0F9B
.text C:\Windows\system32\svchost.exe[2292] ADVAPI32.dll!RegCreateKeyA 76BFB8AE 5 Bytes JMP 008F0033
.text C:\Windows\system32\svchost.exe[2292] ADVAPI32.dll!RegOpenKeyA 76C00BF5 5 Bytes JMP 008F0000
.text C:\Windows\system32\svchost.exe[2292] ADVAPI32.dll!RegCreateKeyW 76C0B83D 5 Bytes JMP 008F0FAC
.text C:\Windows\system32\svchost.exe[2292] ADVAPI32.dll!RegCreateKeyExW 76C0BCE1 5 Bytes JMP 008F0F80
.text C:\Windows\system32\svchost.exe[2292] ADVAPI32.dll!RegOpenKeyExA 76C0D4E8 5 Bytes JMP 008F0022
.text C:\Windows\system32\svchost.exe[2292] ADVAPI32.dll!RegOpenKeyW 76C13CB0 5 Bytes JMP 008F0011
.text C:\Windows\system32\svchost.exe[2292] ADVAPI32.dll!RegOpenKeyExW 76C1F09D 5 Bytes JMP 008F0FC7
.text C:\Windows\system32\svchost.exe[2292] WS2_32.dll!socket 75C636D1 5 Bytes JMP 008E0000
.text C:\Windows\System32\svchost.exe[2456] kernel32.dll!GetStartupInfoW 77101929 5 Bytes JMP 00070F4B
.text C:\Windows\System32\svchost.exe[2456] kernel32.dll!GetStartupInfoA 771019C9 5 Bytes JMP 00070091
.text C:\Windows\System32\svchost.exe[2456] kernel32.dll!CreateProcessW 77101C01 5 Bytes JMP 00070F0E
.text C:\Windows\System32\svchost.exe[2456] kernel32.dll!CreateProcessA 77101C36 5 Bytes JMP 00070F1F
.text C:\Windows\System32\svchost.exe[2456] kernel32.dll!VirtualProtect 77101DD1 5 Bytes JMP 00070F81
.text C:\Windows\System32\svchost.exe[2456] kernel32.dll!CreateNamedPipeW 77105C44 5 Bytes JMP 00070036
.text C:\Windows\System32\svchost.exe[2456] kernel32.dll!LoadLibraryExW 771230C3 5 Bytes JMP 00070F9E
.text C:\Windows\System32\svchost.exe[2456] kernel32.dll!LoadLibraryW 7712361F 5 Bytes JMP 00070FB9
.text C:\Windows\System32\svchost.exe[2456] kernel32.dll!VirtualProtectEx 77128D7E 5 Bytes JMP 00070080
.text C:\Windows\System32\svchost.exe[2456] kernel32.dll!LoadLibraryExA 77129469 5 Bytes JMP 00070051
.text C:\Windows\System32\svchost.exe[2456] kernel32.dll!LoadLibraryA 77129491 5 Bytes JMP 00070FD4
.text C:\Windows\System32\svchost.exe[2456] kernel32.dll!CreatePipe 77130284 5 Bytes JMP 00070F66
.text C:\Windows\System32\svchost.exe[2456] kernel32.dll!GetProcAddress 7714B8B6 5 Bytes JMP 00070EFD
.text C:\Windows\System32\svchost.exe[2456] kernel32.dll!CreateFileW 7714CC4E 5 Bytes JMP 00070025
.text C:\Windows\System32\svchost.exe[2456] kernel32.dll!CreateFileA 7714CF71 5 Bytes JMP 00070000
.text C:\Windows\System32\svchost.exe[2456] kernel32.dll!CreateNamedPipeA 771941F6 5 Bytes JMP 00070FEF
.text C:\Windows\System32\svchost.exe[2456] kernel32.dll!WinExec 771953E7 5 Bytes JMP 00070F3A
.text C:\Windows\System32\svchost.exe[2456] msvcrt.dll!_wsystem 75B88A47 5 Bytes JMP 00050FAD
.text C:\Windows\System32\svchost.exe[2456] msvcrt.dll!system 75B88B63 5 Bytes JMP 00050FC8
.text C:\Windows\System32\svchost.exe[2456] msvcrt.dll!_creat 75B8C6F1 5 Bytes JMP 00050FE3
.text C:\Windows\System32\svchost.exe[2456] msvcrt.dll!_open 75B8DA7E 5 Bytes JMP 00050000
.text C:\Windows\System32\svchost.exe[2456] msvcrt.dll!_wcreat 75B8DC9E 5 Bytes JMP 00050038
.text C:\Windows\System32\svchost.exe[2456] msvcrt.dll!_wopen 75B8DE79 5 Bytes JMP 0005001D
.text C:\Windows\System32\svchost.exe[2456] ADVAPI32.dll!RegCreateKeyExA 76BFB5E7 5 Bytes JMP 00060F94
.text C:\Windows\System32\svchost.exe[2456] ADVAPI32.dll!RegCreateKeyA 76BFB8AE 5 Bytes JMP 0006002C
.text C:\Windows\System32\svchost.exe[2456] ADVAPI32.dll!RegOpenKeyA 76C00BF5 5 Bytes JMP 00060000
.text C:\Windows\System32\svchost.exe[2456] ADVAPI32.dll!RegCreateKeyW 76C0B83D 5 Bytes JMP 00060FA5
.text C:\Windows\System32\svchost.exe[2456] ADVAPI32.dll!RegCreateKeyExW 76C0BCE1 5 Bytes JMP 00060051
.text C:\Windows\System32\svchost.exe[2456] ADVAPI32.dll!RegOpenKeyExA 76C0D4E8 5 Bytes JMP 00060FE5
.text C:\Windows\System32\svchost.exe[2456] ADVAPI32.dll!RegOpenKeyW 76C13CB0 5 Bytes JMP 0006001B
.text C:\Windows\System32\svchost.exe[2456] ADVAPI32.dll!RegOpenKeyExW 76C1F09D 5 Bytes JMP 00060FCA
.text C:\Windows\System32\svchost.exe[2456] WS2_32.dll!socket 75C636D1 5 Bytes JMP 00340000
.text C:\Windows\System32\svchost.exe[2892] kernel32.dll!GetStartupInfoW 77101929 5 Bytes JMP 00010F2B
.text C:\Windows\System32\svchost.exe[2892] kernel32.dll!GetStartupInfoA 771019C9 5 Bytes JMP 00010071
.text C:\Windows\System32\svchost.exe[2892] kernel32.dll!CreateProcessW 77101C01 5 Bytes JMP 00010EF5
.text C:\Windows\System32\svchost.exe[2892] kernel32.dll!CreateProcessA 77101C36 5 Bytes JMP 00010F06
.text C:\Windows\System32\svchost.exe[2892] kernel32.dll!VirtualProtect 77101DD1 5 Bytes JMP 00010F61
.text C:\Windows\System32\svchost.exe[2892] kernel32.dll!CreateNamedPipeW 77105C44 5 Bytes JMP 00010FB2
.text C:\Windows\System32\svchost.exe[2892] kernel32.dll!LoadLibraryExW 771230C3 5 Bytes JMP 00010F72
.text C:\Windows\System32\svchost.exe[2892] kernel32.dll!LoadLibraryW 7712361F 5 Bytes JMP 00010F97
.text C:\Windows\System32\svchost.exe[2892] kernel32.dll!VirtualProtectEx 77128D7E 5 Bytes JMP 0001004C
.text C:\Windows\System32\svchost.exe[2892] kernel32.dll!LoadLibraryExA 77129469 5 Bytes JMP 0001002F
.text C:\Windows\System32\svchost.exe[2892] kernel32.dll!LoadLibraryA 77129491 5 Bytes JMP 0001001E
.text C:\Windows\System32\svchost.exe[2892] kernel32.dll!CreatePipe 77130284 5 Bytes JMP 00010F46
.text C:\Windows\System32\svchost.exe[2892] kernel32.dll!GetProcAddress 7714B8B6 5 Bytes JMP 00010EE4
.text C:\Windows\System32\svchost.exe[2892] kernel32.dll!CreateFileW 7714CC4E 5 Bytes JMP 00010FD4
.text C:\Windows\System32\svchost.exe[2892] kernel32.dll!CreateFileA 7714CF71 5 Bytes JMP 00010FEF
.text C:\Windows\System32\svchost.exe[2892] kernel32.dll!CreateNamedPipeA 771941F6 5 Bytes JMP 00010FC3
.text C:\Windows\System32\svchost.exe[2892] kernel32.dll!WinExec 771953E7 5 Bytes JMP 00010082
.text C:\Windows\System32\svchost.exe[2892] msvcrt.dll!_wsystem 75B88A47 5 Bytes JMP 00050FA8
.text C:\Windows\System32\svchost.exe[2892] msvcrt.dll!system 75B88B63 5 Bytes JMP 00050FB9
.text C:\Windows\System32\svchost.exe[2892] msvcrt.dll!_creat 75B8C6F1 5 Bytes JMP 00050FEF
.text C:\Windows\System32\svchost.exe[2892] msvcrt.dll!_open 75B8DA7E 5 Bytes JMP 00050000
.text C:\Windows\System32\svchost.exe[2892] msvcrt.dll!_wcreat 75B8DC9E 5 Bytes JMP 00050FCA
.text C:\Windows\System32\svchost.exe[2892] msvcrt.dll!_wopen 75B8DE79 5 Bytes JMP 00050029
.text C:\Windows\System32\svchost.exe[2892] ADVAPI32.dll!RegCreateKeyExA 76BFB5E7 5 Bytes JMP 00060F8A
.text C:\Windows\System32\svchost.exe[2892] ADVAPI32.dll!RegCreateKeyA 76BFB8AE 5 Bytes JMP 0006002C
.text C:\Windows\System32\svchost.exe[2892] ADVAPI32.dll!RegOpenKeyA 76C00BF5 5 Bytes JMP 0006000A
.text C:\Windows\System32\svchost.exe[2892] ADVAPI32.dll!RegCreateKeyW 76C0B83D 5 Bytes JMP 00060FA5
.text C:\Windows\System32\svchost.exe[2892] ADVAPI32.dll!RegCreateKeyExW 76C0BCE1 5 Bytes JMP 00060051
.text C:\Windows\System32\svchost.exe[2892] ADVAPI32.dll!RegOpenKeyExA 76C0D4E8 5 Bytes JMP 0006001B
.text C:\Windows\System32\svchost.exe[2892] ADVAPI32.dll!RegOpenKeyW 76C13CB0 5 Bytes JMP 00060FEF
.text C:\Windows\System32\svchost.exe[2892] ADVAPI32.dll!RegOpenKeyExW 76C1F09D 5 Bytes JMP 00060FC0
.text C:\Windows\System32\svchost.exe[2892] WS2_32.dll!socket 75C636D1 5 Bytes JMP 00080000
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] kernel32.dll!FindResourceExA 771308DD 7 Bytes JMP 28001D80 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] kernel32.dll!FindResourceA 771309A5 5 Bytes JMP 28001CF0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] kernel32.dll!CreateEventA 77144AD8 5 Bytes JMP 28001840 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] kernel32.dll!LockResource 77147F1F 5 Bytes JMP 28001F50 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] kernel32.dll!FindResourceExW 7714813B 1 Byte [E9]
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] kernel32.dll!FindResourceExW 7714813B 7 Bytes JMP 28001C60 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] kernel32.dll!LoadResource 77148213 7 Bytes JMP 28001E20 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] kernel32.dll!FindResourceW 771497C7 5 Bytes JMP 28001BE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] kernel32.dll!SizeofResource 771497E5 7 Bytes JMP 28001EE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] kernel32.dll!GetProcAddress 7714B8B6 5 Bytes JMP 00CDEBE0 C:\Program Files\McAfee\SiteAdvisor\saPlugin.dll
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] ADVAPI32.dll!CryptDeriveKey 76BEE6F6 7 Bytes JMP 28001000 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] ADVAPI32.dll!CryptDecrypt 76BEE8D9 7 Bytes JMP 28001060 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] USER32.dll!SetWindowPlacement 75E379BB 5 Bytes JMP 28005D80 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] USER32.dll!SetWindowRgn 75E395E2 7 Bytes JMP 28005EC0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] USER32.dll!LoadImageW 75E3D61D 5 Bytes JMP 28006650 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] USER32.dll!LoadIconW 75E3EC94 5 Bytes JMP 28006840 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] USER32.dll!CreateWindowExW 75E43D67 5 Bytes JMP 28003C70 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] USER32.dll!GetWindowLongW 75E4F67F 7 Bytes JMP 280069E0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] USER32.dll!PeekMessageW 75E4FD9F 5 Bytes JMP 280045B0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] USER32.dll!TrackPopupMenuEx 75E60F4D 5 Bytes JMP 28004E90 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] USER32.dll!CreateDialogParamW 75E61C58 5 Bytes JMP 28006000 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] USER32.dll!MessageBoxIndirectW 75E8D56B 5 Bytes JMP 280061F0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] WS2_32.dll!closesocket 75C6330C 5 Bytes JMP 2800B5E0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] WS2_32.dll!recv 75C6343A 5 Bytes JMP 2800AE00 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] WS2_32.dll!WSASend 75C64496 5 Bytes JMP 2800B3A0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] WS2_32.dll!send 75C6659B 5 Bytes JMP 2800B1C0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] WS2_32.dll!WSARecv 75C68400 5 Bytes JMP 2800AFA0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] SHELL32.dll!Shell_NotifyIconW 75F2C808 5 Bytes JMP 280033D0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] ole32.dll!CoRegisterClassObject 75CF45AC 5 Bytes JMP 28002360 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] ole32.dll!CoInitializeEx 75D2B89A 5 Bytes JMP 28002260 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] ole32.dll!CoCreateInstance 75D2E188 5 Bytes JMP 28002600 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] WININET.dll!HttpOpenRequestA 76B206D6 5 Bytes JMP 28009CC0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] WININET.dll!InternetCloseHandle 76B2607B 5 Bytes JMP 2800A000 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] WININET.dll!InternetReadFile 76B2A067 5 Bytes JMP 28009E50 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2964] WININET.dll!HttpSendRequestA 76B308C5 5 Bytes JMP 28009F30 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Windows\Explorer.EXE[3112] kernel32.dll!GetStartupInfoW 77101929 5 Bytes JMP 000100CD
.text C:\Windows\Explorer.EXE[3112] kernel32.dll!GetStartupInfoA 771019C9 5 Bytes JMP 000100BC
.text C:\Windows\Explorer.EXE[3112] kernel32.dll!CreateProcessW 77101C01 5 Bytes JMP 00010F4A
.text C:\Windows\Explorer.EXE[3112] kernel32.dll!CreateProcessA 77101C36 5 Bytes JMP 00010F5B
.text C:\Windows\Explorer.EXE[3112] kernel32.dll!VirtualProtect 77101DD1 5 Bytes JMP 00010FA5
.text C:\Windows\Explorer.EXE[3112] kernel32.dll!CreateNamedPipeW 77105C44 5 Bytes JMP 0001003D
.text C:\Windows\Explorer.EXE[3112] kernel32.dll!LoadLibraryExW 771230C3 5 Bytes JMP 00010FB6
.text C:\Windows\Explorer.EXE[3112] kernel32.dll!LoadLibraryW 7712361F 5 Bytes JMP 00010FD1
.text C:\Windows\Explorer.EXE[3112] kernel32.dll!VirtualProtectEx 77128D7E 5 Bytes JMP 0001009A
.text C:\Windows\Explorer.EXE[3112] kernel32.dll!LoadLibraryExA 77129469 5 Bytes JMP 00010073
.text C:\Windows\Explorer.EXE[3112] kernel32.dll!LoadLibraryA 77129491 5 Bytes JMP 0001004E
.text C:\Windows\Explorer.EXE[3112] kernel32.dll!CreatePipe 77130284 5 Bytes JMP 000100AB
.text C:\Windows\Explorer.EXE[3112] kernel32.dll!GetProcAddress 7714B8B6 5 Bytes JMP 00010F39
.text C:\Windows\Explorer.EXE[3112] kernel32.dll!CreateFileW 7714CC4E 5 Bytes JMP 0001001B
.text C:\Windows\Explorer.EXE[3112] kernel32.dll!CreateFileA 7714CF71 5 Bytes JMP 00010000
.text C:\Windows\Explorer.EXE[3112] kernel32.dll!CreateNamedPipeA 771941F6 5 Bytes JMP 0001002C
.text C:\Windows\Explorer.EXE[3112] kernel32.dll!WinExec 771953E7 5 Bytes JMP 00010F6C
.text C:\Windows\Explorer.EXE[3112] ADVAPI32.dll!RegCreateKeyExA 76BFB5E7 5 Bytes JMP 00050FAF
.text C:\Windows\Explorer.EXE[3112] ADVAPI32.dll!RegCreateKeyA 76BFB8AE 5 Bytes JMP 00050FCA
.text C:\Windows\Explorer.EXE[3112] ADVAPI32.dll!RegOpenKeyA 76C00BF5 5 Bytes JMP 00050FEF
.text C:\Windows\Explorer.EXE[3112] ADVAPI32.dll!RegCreateKeyW 76C0B83D 5 Bytes JMP 00050051
.text C:\Windows\Explorer.EXE[3112] ADVAPI32.dll!RegCreateKeyExW 76C0BCE1 5 Bytes JMP 00050F9E
.text C:\Windows\Explorer.EXE[3112] ADVAPI32.dll!RegOpenKeyExA 76C0D4E8 5 Bytes JMP 00050011
.text C:\Windows\Explorer.EXE[3112] ADVAPI32.dll!RegOpenKeyW 76C13CB0 5 Bytes JMP 00050000
.text C:\Windows\Explorer.EXE[3112] ADVAPI32.dll!RegOpenKeyExW 76C1F09D 5 Bytes JMP 00050036
.text C:\Windows\Explorer.EXE[3112] msvcrt.dll!_wsystem 75B88A47 5 Bytes JMP 00060044
.text C:\Windows\Explorer.EXE[3112] msvcrt.dll!system 75B88B63 5 Bytes JMP 00060033
.text C:\Windows\Explorer.EXE[3112] msvcrt.dll!_creat 75B8C6F1 5 Bytes JMP 00060FDE
.text C:\Windows\Explorer.EXE[3112] msvcrt.dll!_open 75B8DA7E 5 Bytes JMP 00060000
.text C:\Windows\Explorer.EXE[3112] msvcrt.dll!_wcreat 75B8DC9E 5 Bytes JMP 00060FC3
.text C:\Windows\Explorer.EXE[3112] msvcrt.dll!_wopen 75B8DE79 5 Bytes JMP 00060FEF
.text C:\Windows\Explorer.EXE[3112] WININET.dll!InternetOpenA 76B303DD 5 Bytes JMP 00950FEF
.text C:\Windows\Explorer.EXE[3112] WININET.dll!InternetOpenUrlA 76B320A3 5 Bytes JMP 00950FC3
.text C:\Windows\Explorer.EXE[3112] WININET.dll!InternetOpenW 76B32A58 5 Bytes JMP 00950FDE
.text C:\Windows\Explorer.EXE[3112] WININET.dll!InternetOpenUrlW 76B7AF79 5 Bytes JMP 00950014
.text C:\Windows\Explorer.EXE[3112] WS2_32.dll!socket 75C636D1 5 Bytes JMP 01FE0FE5
.text C:\Windows\system32\svchost.exe[4700] kernel32.dll!GetStartupInfoW 77101929 5 Bytes JMP 000100E1
.text C:\Windows\system32\svchost.exe[4700] kernel32.dll!GetStartupInfoA 771019C9 5 Bytes JMP 000100D0
.text C:\Windows\system32\svchost.exe[4700] kernel32.dll!CreateProcessW 77101C01 5 Bytes JMP 00010F5B
.text C:\Windows\system32\svchost.exe[4700] kernel32.dll!CreateProcessA 77101C36 5 Bytes JMP 00010F76
.text C:\Windows\system32\svchost.exe[4700] kernel32.dll!VirtualProtect 77101DD1 5 Bytes JMP 0001009A
.text C:\Windows\system32\svchost.exe[4700] kernel32.dll!CreateNamedPipeW 77105C44 5 Bytes JMP 00010036
.text C:\Windows\system32\svchost.exe[4700] kernel32.dll!LoadLibraryExW 771230C3 5 Bytes JMP 0001007D
.text C:\Windows\system32\svchost.exe[4700] kernel32.dll!LoadLibraryW 7712361F 5 Bytes JMP 00010062
.text C:\Windows\system32\svchost.exe[4700] kernel32.dll!VirtualProtectEx 77128D7E 5 Bytes JMP 00010FAF
.text C:\Windows\system32\svchost.exe[4700] kernel32.dll!LoadLibraryExA 77129469 5 Bytes JMP 00010FC0
.text C:\Windows\system32\svchost.exe[4700] kernel32.dll!LoadLibraryA 77129491 5 Bytes JMP 00010047
.text C:\Windows\system32\svchost.exe[4700] kernel32.dll!CreatePipe 77130284 5 Bytes JMP 000100BF
.text C:\Windows\system32\svchost.exe[4700] kernel32.dll!GetProcAddress 7714B8B6 5 Bytes JMP 0001010D
.text C:\Windows\system32\svchost.exe[4700] kernel32.dll!CreateFileW 7714CC4E 5 Bytes JMP 00010025
.text C:\Windows\system32\svchost.exe[4700] kernel32.dll!CreateFileA 7714CF71 5 Bytes JMP 0001000A
.text C:\Windows\system32\svchost.exe[4700] kernel32.dll!CreateNamedPipeA 771941F6 5 Bytes JMP 00010FE5
.text C:\Windows\system32\svchost.exe[4700] kernel32.dll!WinExec 771953E7 5 Bytes JMP 000100FC
.text C:\Windows\system32\svchost.exe[4700] msvcrt.dll!_wsystem 75B88A47 5 Bytes JMP 00050FCA
.text C:\Windows\system32\svchost.exe[4700] msvcrt.dll!system 75B88B63 5 Bytes JMP 00050055
.text C:\Windows\system32\svchost.exe[4700] msvcrt.dll!_creat 75B8C6F1 5 Bytes JMP 00050044
.text C:\Windows\system32\svchost.exe[4700] msvcrt.dll!_open 75B8DA7E 5 Bytes JMP 0005000C
.text C:\Windows\system32\svchost.exe[4700] msvcrt.dll!_wcreat 75B8DC9E 5 Bytes JMP 00050FEF
.text C:\Windows\system32\svchost.exe[4700] msvcrt.dll!_wopen 75B8DE79 5 Bytes JMP 00050029
.text C:\Windows\system32\svchost.exe[4700] ADVAPI32.dll!RegCreateKeyExA 76BFB5E7 5 Bytes JMP 00060F94
.text C:\Windows\system32\svchost.exe[4700] ADVAPI32.dll!RegCreateKeyA 76BFB8AE 5 Bytes JMP 00060FAF
.text C:\Windows\system32\svchost.exe[4700] ADVAPI32.dll!RegOpenKeyA 76C00BF5 5 Bytes JMP 00060FEF
.text C:\Windows\system32\svchost.exe[4700] ADVAPI32.dll!RegCreateKeyW 76C0B83D 5 Bytes JMP 00060036
.text C:\Windows\system32\svchost.exe[4700] ADVAPI32.dll!RegCreateKeyExW 76C0BCE1 5 Bytes JMP 00060F79
.text C:\Windows\system32\svchost.exe[4700] ADVAPI32.dll!RegOpenKeyExA 76C0D4E8 5 Bytes JMP 0006000A
.text C:\Windows\system32\svchost.exe[4700] ADVAPI32.dll!RegOpenKeyW 76C13CB0 5 Bytes JMP 00060FDE
.text C:\Windows\system32\svchost.exe[4700] ADVAPI32.dll!RegOpenKeyExW 76C1F09D 5 Bytes JMP 0006001B
.text C:\Windows\system32\svchost.exe[4700] WS2_32.dll!socket 75C636D1 5 Bytes JMP 00C80FEF
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] kernel32.dll!FindResourceExA 771308DD 7 Bytes JMP 28001D80 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] kernel32.dll!FindResourceA 771309A5 5 Bytes JMP 28001CF0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] kernel32.dll!CreateEventA 77144AD8 5 Bytes JMP 28001840 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] kernel32.dll!LockResource 77147F1F 5 Bytes JMP 28001F50 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] kernel32.dll!FindResourceExW 7714813B 1 Byte [E9]
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] kernel32.dll!FindResourceExW 7714813B 7 Bytes JMP 28001C60 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] kernel32.dll!LoadResource 77148213 7 Bytes JMP 28001E20 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] kernel32.dll!FindResourceW 771497C7 5 Bytes JMP 28001BE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] kernel32.dll!SizeofResource 771497E5 7 Bytes JMP 28001EE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] kernel32.dll!GetProcAddress 7714B8B6 5 Bytes JMP 00C3EBE0 C:\Program Files\McAfee\SiteAdvisor\saPlugin.dll
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] ADVAPI32.dll!CryptDeriveKey 76BEE6F6 7 Bytes JMP 28001000 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] ADVAPI32.dll!CryptDecrypt 76BEE8D9 7 Bytes JMP 28001060 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] USER32.dll!SetWindowPlacement 75E379BB 5 Bytes JMP 28005D80 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] USER32.dll!SetWindowRgn 75E395E2 7 Bytes JMP 28005EC0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] USER32.dll!LoadImageW 75E3D61D 5 Bytes JMP 28006650 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] USER32.dll!LoadIconW 75E3EC94 5 Bytes JMP 28006840 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] USER32.dll!CreateWindowExW 75E43D67 5 Bytes JMP 28003C70 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] USER32.dll!GetWindowLongW 75E4F67F 7 Bytes JMP 280069E0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] USER32.dll!PeekMessageW 75E4FD9F 5 Bytes JMP 280045B0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] USER32.dll!TrackPopupMenuEx 75E60F4D 5 Bytes JMP 28004E90 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] USER32.dll!CreateDialogParamW 75E61C58 5 Bytes JMP 28006000 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] USER32.dll!MessageBoxIndirectW 75E8D56B 5 Bytes JMP 280061F0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] WS2_32.dll!closesocket 75C6330C 5 Bytes JMP 2800B5E0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] WS2_32.dll!recv 75C6343A 5 Bytes JMP 2800AE00 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] WS2_32.dll!WSASend 75C64496 5 Bytes JMP 2800B3A0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] WS2_32.dll!send 75C6659B 5 Bytes JMP 2800B1C0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] WS2_32.dll!WSARecv 75C68400 5 Bytes JMP 2800AFA0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] SHELL32.dll!Shell_NotifyIconW 75F2C808 5 Bytes JMP 280033D0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] ole32.dll!CoRegisterClassObject 75CF45AC 5 Bytes JMP 28002360 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] ole32.dll!CoInitializeEx 75D2B89A 5 Bytes JMP 28002260 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] ole32.dll!CoCreateInstance 75D2E188 5 Bytes JMP 28002600 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] WININET.dll!HttpOpenRequestA 76B206D6 5 Bytes JMP 28009CC0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] WININET.dll!InternetCloseHandle 76B2607B 5 Bytes JMP 2800A000 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] WININET.dll!InternetReadFile 76B2A067 5 Bytes JMP 28009E50 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[5920] WININET.dll!HttpSendRequestA 76B308C5 5 Bytes JMP 28009F30 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Windows\system32\wuauclt.exe[5948] kernel32.dll!GetStartupInfoW 77101929 5 Bytes JMP 00010F23
.text C:\Windows\system32\wuauclt.exe[5948] kernel32.dll!GetStartupInfoA 771019C9 5 Bytes JMP 00010F3E
.text C:\Windows\system32\wuauclt.exe[5948] kernel32.dll!CreateProcessW 77101C01 5 Bytes JMP 000100A9
.text C:\Windows\system32\wuauclt.exe[5948] kernel32.dll!CreateProcessA 77101C36 5 Bytes JMP 00010098
.text C:\Windows\system32\wuauclt.exe[5948] kernel32.dll!VirtualProtect 77101DD1 5 Bytes JMP 0001005F
.text C:\Windows\system32\wuauclt.exe[5948] kernel32.dll!CreateNamedPipeW 77105C44 5 Bytes JMP 00010022
.text C:\Windows\system32\wuauclt.exe[5948] kernel32.dll!LoadLibraryExW 771230C3 5 Bytes JMP 0001004E
.text C:\Windows\system32\wuauclt.exe[5948] kernel32.dll!LoadLibraryW 7712361F 5 Bytes JMP 00010F9B
.text C:\Windows\system32\wuauclt.exe[5948] kernel32.dll!VirtualProtectEx 77128D7E 5 Bytes JMP 00010F6A
.text C:\Windows\system32\wuauclt.exe[5948] kernel32.dll!LoadLibraryExA 77129469 5 Bytes JMP 0001003D
.text C:\Windows\system32\wuauclt.exe[5948] kernel32.dll!LoadLibraryA 77129491 5 Bytes JMP 00010FB6
.text C:\Windows\system32\wuauclt.exe[5948] kernel32.dll!CreatePipe 77130284 5 Bytes JMP 00010F59
.text C:\Windows\system32\wuauclt.exe[5948] kernel32.dll!GetProcAddress 7714B8B6 5 Bytes JMP 00010EF7
.text C:\Windows\system32\wuauclt.exe[5948] kernel32.dll!CreateFileW 7714CC4E 5 Bytes JMP 00010011
.text C:\Windows\system32\wuauclt.exe[5948] kernel32.dll!CreateFileA 7714CF71 5 Bytes JMP 00010000
.text C:\Windows\system32\wuauclt.exe[5948] kernel32.dll!CreateNamedPipeA 771941F6 5 Bytes JMP 00010FDB
.text C:\Windows\system32\wuauclt.exe[5948] kernel32.dll!WinExec 771953E7 5 Bytes JMP 00010F12
.text C:\Windows\system32\wuauclt.exe[5948] msvcrt.dll!_wsystem 75B88A47 5 Bytes JMP 0006003F
.text C:\Windows\system32\wuauclt.exe[5948] msvcrt.dll!system 75B88B63 5 Bytes JMP 00060FBE
.text C:\Windows\system32\wuauclt.exe[5948] msvcrt.dll!_creat 75B8C6F1 5 Bytes JMP 00060FD9
.text C:\Windows\system32\wuauclt.exe[5948] msvcrt.dll!_open 75B8DA7E 5 Bytes JMP 00060000
.text C:\Windows\system32\wuauclt.exe[5948] msvcrt.dll!_wcreat 75B8DC9E 5 Bytes JMP 0006002E
.text C:\Windows\system32\wuauclt.exe[5948] msvcrt.dll!_wopen 75B8DE79 5 Bytes JMP 0006001D
.text C:\Windows\system32\wuauclt.exe[5948] ADVAPI32.dll!RegCreateKeyExA 76BFB5E7 5 Bytes JMP 00070036
.text C:\Windows\system32\wuauclt.exe[5948] ADVAPI32.dll!RegCreateKeyA 76BFB8AE 5 Bytes JMP 00070FAF
.text C:\Windows\system32\wuauclt.exe[5948] ADVAPI32.dll!RegOpenKeyA 76C00BF5 5 Bytes JMP 00070FE5
.text C:\Windows\system32\wuauclt.exe[5948] ADVAPI32.dll!RegCreateKeyW 76C0B83D 5 Bytes JMP 00070F9E
.text C:\Windows\system32\wuauclt.exe[5948] ADVAPI32.dll!RegCreateKeyExW 76C0BCE1 5 Bytes JMP 00070047
.text C:\Windows\system32\wuauclt.exe[5948] ADVAPI32.dll!RegOpenKeyExA 76C0D4E8 5 Bytes JMP 0007001B
.text C:\Windows\system32\wuauclt.exe[5948] ADVAPI32.dll!RegOpenKeyW 76C13CB0 5 Bytes JMP 00070000
.text C:\Windows\system32\wuauclt.exe[5948] ADVAPI32.dll!RegOpenKeyExW 76C1F09D 5 Bytes JMP 00070FCA

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74177BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [741B98C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7417D3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7416F527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74177599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7416E43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [741AB33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7417D68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7417012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74170095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [741671F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [741FD802] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [741975E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7416DAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7416668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [741666BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74171E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3112] @ C:\Windows\system32\ole32.dll [msvcrt.dll!free] [67F0F563] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\BTHUSB \Device\00000087 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\BTHUSB \Device\00000089 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e3766da05
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001e3766da05
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Scheduler@Heartbeat 0x90 0x5D 0xCF 0x0C ...

---- EOF - GMER 1.0.15 ----


Thanks,

Mrparkers

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:38 AM

Posted 06 July 2009 - 06:32 PM

No rootkit either...but that's good. :thumbup2:

OTL not working was an unexpected problem though.

Can you try OTS.

Please download
OTS
and save it to your desktop:
- Double click Posted Image and run
If you are running on Vista then right-click the program and choose Run as Administrator.


- Please check Posted Image & Posted Image
- Next press
Posted Image
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
- Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit)
- The log will be located in the OTS folder and named OTS.txt.

Thanks :)
Posted Image
m0le is a proud member of UNITE

#9 Mrparkers

Mrparkers
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 06 July 2009 - 08:04 PM

My computer actually seems to be going a little bit faster than before, even though we haven't really done anything. Youtube videos load but they load pretty slowly so it keeps stopping in the middle of the video. Anyways I have the log attached.

Attached Files

  • Attached File  OTS.Txt   212.72KB   13 downloads


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:38 AM

Posted 07 July 2009 - 05:53 PM

Hi Mrparkers,

That's good that it's improved.

I would like to run two scans which should root out anything that the logs aren't finding.

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Then

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:38 AM

Posted 10 July 2009 - 04:42 PM

Hi Mrparkers,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open.

If you like you can PM me.

Thanks,


m0le

Edited by m0le, 10 July 2009 - 04:43 PM.

Posted Image
m0le is a proud member of UNITE

#12 Mrparkers

Mrparkers
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 11 July 2009 - 09:39 AM

Those two seemed to find some threats.

Malwarebytes' log:

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 6.0.6001 Service Pack 1

7/10/2009 11:19:33 PM
mbam-log-2009-07-10 (23-19-33).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 316272
Time elapsed: 2 hour(s), 5 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ESET Log:

C:\Program Files\Cheat Engine\dbk32.sys probably a variant of Win32/Genetik trojan cleaned by deleting - quarantined
C:\Users\Parker Family\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\716a224c-6f3da0a3 a variant of Java/TrojanDownloader.Agent.NAB trojan deleted - quarantined

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:38 AM

Posted 11 July 2009 - 07:09 PM

Yes, it found some remnants but not major threats and they have been removed. :)

Please run BitDefender - an agressive scanner.

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.
Then post new DDS logs.

We're nearly there Mrparkers :thumbup2:
Posted Image
m0le is a proud member of UNITE

#14 Mrparkers

Mrparkers
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 14 July 2009 - 10:47 AM

I couldn't find the Export to log option on the Bit Defender scanner, so here's a picture. The scan didn't find anything though.

Posted Image

And as for the DDS logs:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Parker Family at 10:43:18.20 on Tue 07/14/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1982.954 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Windows\system32\rundll32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP Bluetooth Laser Mobile Mouse\MulMouse.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Parker Family\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\parker~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpblue~1.lnk - c:\program files\hp bluetooth laser mobile mouse\MulMouse.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vongot~1.lnk - c:\windows\installer\{8c3ae2d1-854d-4650-a73d-c7cc7ee36b80}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe
mPolicies-system: FilterAdministratorToken = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - hxxp://simcity.ea.com/update/EARTPX.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} - hxxp://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} - hxxp://messenger.zone.msn.com/binary/Chess.cab57176.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://access.foley.com/dana-cached/sc/JuniperSetupClient.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\parker~1\appdata\roaming\mozilla\firefox\profiles\q3o6izgh.default\
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_19.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");

============= SERVICES / DRIVERS ===============

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-1-3 203280]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-6-1 34064]
S2 Apache2.2;Apache2.2;"c:\users\parker family\documents\dah\~\my server\474\xampp\apache\bin\apache.exe" -k runservice --> c:\users\parker family\documents\dah\~\my server\474\xampp\apache\bin\apache.exe [?]
S3 SecureSrv;SecureSrv;c:\program files\hide my ip 2008\SecureSrv.exe [2008-12-26 110880]
S4 DynDNS Updater;DynDNS Updater;c:\program files\dyndns updater\DynUpSvc.exe [2008-4-23 61440]

=============== Created Last 30 ================

2009-07-13 01:00 <DIR> --d----- C:\cache525
2009-07-13 00:01 0 a------- c:\windows\system32\RENCCF2.tmp
2009-07-13 00:01 0 a------- c:\windows\system32\RENCCF1.tmp
2009-07-13 00:01 0 a------- c:\windows\system32\RENCCD0.tmp
2009-07-10 23:21 <DIR> --d----- c:\program files\ESET
2009-07-10 21:07 <DIR> --d----- c:\users\parker~1\appdata\roaming\Malwarebytes
2009-07-10 21:07 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-10 21:07 <DIR> --d----- c:\programdata\Malwarebytes
2009-07-10 21:07 <DIR> --d----- c:\progra~2\Malwarebytes
2009-07-10 21:07 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-10 21:07 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-08 20:53 <DIR> --d----- C:\worldmap_filestore
2009-06-26 14:38 107,864 a------- c:\windows\system32\tsccvid.dll
2009-06-26 14:38 <DIR> --d----- c:\windows\system32\QuickTime
2009-06-26 14:37 <DIR> --d----- c:\program files\common files\TechSmith Shared
2009-06-18 17:08 <DIR> --d----- c:\users\parker~1\appdata\roaming\MozillaControl
2009-06-18 16:18 <DIR> --d----- c:\program files\Mozilla ActiveX Control v1.7.12
2009-06-18 16:18 <DIR> --d----- c:\program files\VideoLAN
2009-06-18 16:17 <DIR> --d----- c:\program files\Graboid

==================== Find3M ====================

2009-07-13 17:37 28,599 a------- c:\programdata\nvModes.dat
2009-07-13 17:37 28,599 a------- c:\progra~2\nvModes.dat
2009-07-13 00:01 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-12 23:05 1,537 a------- c:\windows\bthservsdp.dat
2009-05-23 07:50 31 a------- c:\users\parker family\jagex_runescape_preferences.dat
2009-04-20 18:32 51,200 a------- c:\windows\inf\infpub.dat
2009-04-20 18:32 143,360 a------- c:\windows\inf\infstrng.dat
2009-04-20 18:32 86,016 a------- c:\windows\inf\infstor.dat
2009-01-31 17:38 28,095 a------- c:\users\parker~1\appdata\roaming\nvModes.dat
2008-10-13 18:31 174 a--sh--- c:\program files\desktop.ini
2008-10-13 18:15 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-04-06 11:50 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-04-06 11:50 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-04-06 11:50 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 10:44:20.86 ===============

And I have the attach log attached as well.

Thanks,

Mrparkers

Attached Files



#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:38 AM

Posted 14 July 2009 - 06:31 PM

One thing to check.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Go to Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\system32\RENCCF2.tmp

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at VirusTotal

If that comes up clean then we can start to clean up. :thumbup2:
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users