Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijacking/redirecting google/yahoo


  • Please log in to reply
23 replies to this topic

#1 joel3527

joel3527

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 05 August 2009 - 08:11 PM

Hi,
Whenever i click a google link i get redirected. I think this may have cause other problems with my computer as well. Here is a kaspersky scan, a DDS log, a Hijackthis log, as well as a malwarebytes log.

I ran a mcafee virus scan and 2 trojans named NTOSKRNL-HOOK were found and removed. I have done this frequently with the same results yet i still have the problem.

I ran an adaware scan that only found and removed 6 cookies.

The malwarebytes scan found 4 infected objects, two trojan.tdss and two minibugs, three of which must be deleted on reboot. The log file for the scan is below

If theres any other information about the computer you need just let me know

Thank you,
Joel

_______________________________________________________________________________________________________________________________

KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, August 5, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, August 05, 2009 23:35:34
Records in database: 2584412
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area Critical Areas
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Joel Woznicki\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS
Scan statistics
Files scanned 61025
Threat name 1
Infected objects 46
Suspicious objects 0
Duration of the scan 01:07:26

File name Threat name Threats count
globalroot\systemroot\system32\geyekrtvakqlrs.dll/globalroot\systemroot\system32\geyekrtvakqlrs.dll Infected: Trojan.Win32.Agent.crez 46
The selected area was scanned.

_____________________________________________________________________________________________________________
_________________


DDS (Ver_09-07-30.01) - NTFSx86
Run by Joel Woznicki at 20:37:07.13 on Wed 08/05/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.480 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Documents and Settings\Joel Woznicki\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/clientapps/AutoSearch/SearchBarLM/YSetSearch/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - ALOT Toolbar
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &ESPN: {ae6f2894-af10-4c9c-b16e-1dfc6ff8c0c6} - c:\program files\espn\toolbar\DIGToolBar2.dll
TB: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} -
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240079316781
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
AppInit_DLLs: ,
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-16 64160]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-15 214024]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1029456]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-28 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-7-30 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-2-15 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-2-15 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-15 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-15 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-15 40552]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-15 34216]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-4-24 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-4-24 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009-4-24 42112]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2009-4-24 23680]

=============== Created Last 30 ================

2009-08-03 11:22 <DIR> --d----- C:\HJT
2009-08-02 17:38 <DIR> --d----- c:\program files\CCleaner
2009-08-01 14:35 <DIR> --d----- c:\program files\FrostWire
2009-07-24 21:12 0 a------- c:\windows\system32\AAWService_2009_07_24_21_12_19.dmp
2009-07-22 15:21 91 a------- c:\windows\system32\T
2009-07-22 15:21 1,217 a------- c:\windows\system32\C
2009-07-20 13:05 <DIR> --d----- c:\program files\ComcastUI

==================== Find3M ====================

2009-07-24 18:21 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-19 18:48 11,067,392 a------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 09:18 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-13 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 13:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 13:09 1,208,832 a------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 13:09 206,848 a------- c:\windows\system32\dllcache\occache.dll
2009-07-03 13:09 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 13:09 55,296 a------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 13:09 1,985,536 a------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 13:09 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 13:09 184,320 a------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 13:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 13:09 386,048 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 07:01 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-26 15:01 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 15:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-06-01 22:08 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-25 12:24 177,034 a------- c:\windows\hpwins19.dat
2009-04-04 16:29 72,832 a------- c:\windows\inf\CamAvb.sys
2008-04-23 22:35 848 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2008-08-29 10:05 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082920080830\index.dat

============= FINISH: 20:39:15.24 ===============


______________________________________________________________________________________________________________________________________


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:39 PM, on 8/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\HJT\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/clientapps/AutoSear...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar2.dll
O3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - (no file)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [hinufewiva] Rundll32.exe "C:\WINDOWS\system32\sorezayo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [hinufewiva] Rundll32.exe "C:\WINDOWS\system32\sorezayo.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1240079316781
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: ,
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 10696 bytes


_______________________________________________________________________________________________________________________


Malwarebytes' Anti-Malware 1.40
Database version: 2567
Windows 5.1.2600 Service Pack 3

8/5/2009 9:10:04 PM
mbam-log-2009-08-05 (21-10-04).txt

Scan type: Quick Scan
Objects scanned: 141131
Time elapsed: 11 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\SYSTEM32\geyekrtvakqlrs.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Delete on reboot.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\SYSTEM32\geyekrtvakqlrs.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:38 PM

Posted 07 August 2009 - 05:03 PM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 joel3527

joel3527
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 10 August 2009 - 07:09 PM

i tried running combo fix, it restarted my computer and proceeded to run for 2 hours when it said it should not run more that 10, i was unable to open anything on the internet nor access my start menu or anything else, so i ended it and restarted my computer. Should i run it again and just wait it out?

#4 joel3527

joel3527
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 11 August 2009 - 12:07 AM

to be more specific i ran combo fix then it installed the recovery console, then it asked if i would like to continue scanning for malware, then it showed me a list of infected files found on my computer and told me to write them down, giving me only an option to hit okay. After hitting okay my computer restarted and combofix ran again saying it completed stage 1 through 50, then it said deleting malware and a ?. I shut down my computer after 2 hours of inactivity with the deleting malware and ? displayed.

#5 joel3527

joel3527
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 11 August 2009 - 10:12 AM

im about to go camping until the 19th where i wont have internet access, but heres the list of infected files combofix had me write down
c\windows\system32\drivers\TDSSpqlt.sys
c\windows\system32\TDSSoiqt.dll
c\windows\system32\TDSSlrvd.dat
c\windows\system32\TDSShrxr.dll
c\windows\system32\TDSSrtqp.dll
c\windows\system32\TDSSxfum.dll
c\windows\system32\TDSSlxwp.dll
c\windows\system32\TDSSnmxh.log
c\windows\system32\TDSSsihc.dll
c\windows\system32\TDSSrhyp.log
c\windows\system32\TDSSkkbi.log

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:38 PM

Posted 11 August 2009 - 01:32 PM

If I don't catch you in time, enjoy your camping trip. :thumbup2:

Whenever you get to this, check to see if combofix made a log. It should be at C:\combofix.txt
Please post it if you find the log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 joel3527

joel3527
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 17 August 2009 - 07:09 PM

i did not see a log

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:38 PM

Posted 18 August 2009 - 12:18 PM

Ok, let's try to run it again, but this time with a twist.

First go ahead and delete combofix.exe from your desktop.


Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 joel3527

joel3527
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 19 August 2009 - 09:49 AM

ComboFix 09-08-10.06 - Joel Woznicki 08/19/2009 2:26.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.489 [GMT -4:00]
Running from: c:\documents and settings\Joel Woznicki\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ALLUSE~1\APPLIC~1\91327956.ini
c:\windows\Installer\19a3c8.msp
c:\windows\Installer\315dc8.msi


.
((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))
.

2009-08-11 00:10 . 2009-08-19 06:18 -------- d-s---w- C:\ComboFix
2009-08-10 02:21 . 2009-08-10 02:21 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-10 02:21 . 2009-08-10 02:21 -------- d-----w- c:\program files\MSBuild
2009-08-10 02:20 . 2009-08-10 02:20 -------- d-----w- c:\program files\Reference Assemblies
2009-08-10 02:20 . 2009-08-10 02:20 -------- d-----w- C:\bb5b1de8a65042be88852a54
2009-08-10 02:20 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-10 02:20 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-10 02:20 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-10 02:20 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-10 02:20 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-10 02:20 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-10 02:20 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-03 15:22 . 2009-08-03 15:23 -------- d-----w- C:\HJT
2009-08-02 21:38 . 2009-08-02 21:38 -------- d-----w- c:\program files\CCleaner
2009-08-01 18:35 . 2009-08-01 18:36 -------- d-----w- c:\program files\FrostWire
2009-07-24 22:16 . 2009-07-24 22:21 152576 ----a-w- c:\documents and settings\Joel Woznicki\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-20 17:05 . 2009-07-20 17:05 -------- d-----w- c:\program files\ComcastUI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-18 19:25 . 2008-09-20 19:36 -------- d-----w- c:\documents and settings\Adam Woznicki\Application Data\FrostWire
2009-08-18 18:50 . 2004-12-30 02:53 68112 -c--a-w- c:\documents and settings\Adam Woznicki\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-18 16:20 . 2004-12-29 14:26 68112 -c--a-w- c:\documents and settings\Terese Woznicki\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-11 14:54 . 2008-09-29 01:38 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-08-11 05:03 . 2008-11-28 02:39 68112 ----a-w- c:\documents and settings\Joel Woznicki\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 00:45 . 2008-12-02 00:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malwares
2009-08-03 17:36 . 2008-12-01 23:46 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2008-12-01 23:46 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-02 15:27 . 2009-06-14 01:47 1 ----a-w- c:\documents and settings\Elise Woznicki\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-08-02 01:30 . 2007-04-07 03:10 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-01 02:06 . 2009-04-18 19:00 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-29 18:21 . 2008-06-03 15:03 -------- d-----w- c:\documents and settings\Joel Woznicki\Application Data\uTorrent
2009-07-27 16:21 . 2008-12-02 22:40 -------- d-----w- c:\documents and settings\Joel Woznicki\Application Data\FrostWire
2009-07-24 22:21 . 2008-11-28 01:01 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-24 21:53 . 2008-08-06 15:48 -------- d-----w- c:\program files\Common Files\Ahead
2009-07-12 17:46 . 2009-03-24 00:43 1 ----a-w- c:\documents and settings\Joel Woznicki\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-07-10 03:41 . 2007-02-16 01:37 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\McAfee
2009-07-09 19:16 . 2007-02-16 02:06 -------- d-----w- c:\program files\McAfee
2009-07-03 17:09 . 2004-08-04 11:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 20:24 . 2009-06-29 20:24 -------- d-----w- c:\program files\iTunes
2009-06-29 20:24 . 2009-06-29 20:24 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-29 20:24 . 2005-12-25 14:49 -------- d-----w- c:\program files\iPod
2009-06-29 20:24 . 2007-07-10 00:52 -------- d-----w- c:\program files\Common Files\Apple
2009-06-29 20:21 . 2006-03-14 02:56 -------- d-----w- c:\program files\QuickTime
2009-06-26 19:01 . 2009-06-26 04:33 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-06-26 01:17 . 2008-11-28 01:39 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\avg8
2009-06-23 17:30 . 2009-06-23 17:30 -------- d-----w- c:\program files\Nero
2009-06-22 16:18 . 2009-06-22 16:18 -------- d-----w- c:\documents and settings\Joel Woznicki\Application Data\Leadertech
2009-06-16 14:36 . 2004-08-04 11:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 11:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-14 01:04 . 2009-04-25 17:24 1 ----a-w- c:\documents and settings\Terese Woznicki\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-09 02:18 . 2009-04-18 14:24 1 ----a-w- c:\documents and settings\Alan Woznicki\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-03 23:50 . 2009-04-03 00:54 1 ----a-w- c:\documents and settings\Adam Woznicki\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-03 19:09 . 2004-08-04 11:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 02:08 . 2009-02-18 04:38 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-31 15:43 . 2004-12-30 00:53 68112 -c--a-w- c:\documents and settings\Elise Woznicki\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-25 16:24 . 2008-07-24 16:07 177034 ----a-w- c:\windows\hpwins19.dat
2008-04-24 02:35 . 2005-01-09 21:03 848 -csha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 1388544]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-09-20 4583424]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-24 148888]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-30 520024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

c:\documents and settings\Adam Woznicki\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\Terese Woznicki\Start Menu\Programs\Startup\
Expedia Fare Alert.lnk - c:\program files\Expedia\Expedia Fare Alert\ExpediaFareAlert.exe [2007-2-12 696320]
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\Alan Woznicki\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\Elise Woznicki\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ lsdelete

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Joel Woznicki^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Joel Woznicki\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Documents and Settings\\AdamWoznicki\\My Documents\\HTML\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\WINDOWS\\SYSTEM32\\FXSCLNT.EXE"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqbam08.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [2/16/2009 11:00 PM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 1029456]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/28/2008 9:18 PM 210216]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\SYSTEM32\DRIVERS\motccgp.sys [4/24/2009 3:42 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\SYSTEM32\DRIVERS\motccgpfl.sys [4/24/2009 3:42 PM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\SYSTEM32\DRIVERS\motodrv.sys [4/24/2009 3:42 PM 42112]
S3 motport;Motorola USB Diagnostic Port;c:\windows\SYSTEM32\DRIVERS\motport.sys [4/24/2009 3:42 PM 23680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/clientapps/AutoSearch/SearchBarLM/YSetSearch/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-19 02:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
geyekrtvakqlrs.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(796)
geyekrtvakqlrs.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll
c:\windows\system32\WININET.dll
.
Completion time: 2009-08-19 2:43
ComboFix-quarantined-files.txt 2009-08-19 06:43

Pre-Run: 78,722,191,360 bytes free
Post-Run: 82,365,321,216 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
187 --- E O F --- 2009-08-10 02:25

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:38 PM

Posted 19 August 2009 - 12:10 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
c:\windows\system32\geyekrtvakqlrs.dll
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 joel3527

joel3527
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 19 August 2009 - 02:37 PM

ComboFix 09-08-18.04 - Joel Woznicki 08/19/2009 15:07.4.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.521 [GMT -4:00]
Running from: c:\documents and settings\Joel Woznicki\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Joel Woznicki\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\system32\geyekrtvakqlrs.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Fonts\WPHV07NB.TTF
c:\windows\system32\TIControlPanel.cpl.manifest

Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mspmsnsv.dll

.
((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))
.

2009-08-19 19:23 . 2009-08-19 19:23 -------- d-----w- c:\windows\LastGood
2009-08-11 00:10 . 2009-08-19 06:18 -------- d-s---w- C:\ComboFix
2009-08-10 02:21 . 2009-08-10 02:21 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-10 02:21 . 2009-08-10 02:21 -------- d-----w- c:\program files\MSBuild
2009-08-10 02:20 . 2009-08-10 02:20 -------- d-----w- c:\program files\Reference Assemblies
2009-08-10 02:20 . 2009-08-10 02:20 -------- d-----w- C:\bb5b1de8a65042be88852a54
2009-08-10 02:20 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-10 02:20 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-10 02:20 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-10 02:20 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-10 02:20 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-10 02:20 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-10 02:20 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-03 15:22 . 2009-08-03 15:23 -------- d-----w- C:\HJT
2009-08-02 21:38 . 2009-08-02 21:38 -------- d-----w- c:\program files\CCleaner
2009-08-01 18:35 . 2009-08-01 18:36 -------- d-----w- c:\program files\FrostWire
2009-07-24 22:16 . 2009-07-24 22:21 152576 ----a-w- c:\documents and settings\Joel Woznicki\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-18 19:25 . 2008-09-20 19:36 -------- d-----w- c:\documents and settings\Adam Woznicki\Application Data\FrostWire
2009-08-18 18:50 . 2004-12-30 02:53 68112 -c--a-w- c:\documents and settings\Adam Woznicki\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-18 16:20 . 2004-12-29 14:26 68112 -c--a-w- c:\documents and settings\Terese Woznicki\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-11 14:54 . 2008-09-29 01:38 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-08-11 05:03 . 2008-11-28 02:39 68112 ----a-w- c:\documents and settings\Joel Woznicki\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 00:45 . 2008-12-02 00:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malwares
2009-08-03 17:36 . 2008-12-01 23:46 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2008-12-01 23:46 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-02 15:27 . 2009-06-14 01:47 1 ----a-w- c:\documents and settings\Elise Woznicki\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-08-02 01:30 . 2007-04-07 03:10 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-01 02:06 . 2009-04-18 19:00 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-29 18:21 . 2008-06-03 15:03 -------- d-----w- c:\documents and settings\Joel Woznicki\Application Data\uTorrent
2009-07-27 16:21 . 2008-12-02 22:40 -------- d-----w- c:\documents and settings\Joel Woznicki\Application Data\FrostWire
2009-07-24 22:21 . 2008-11-28 01:01 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-24 21:53 . 2008-08-06 15:48 -------- d-----w- c:\program files\Common Files\Ahead
2009-07-20 17:05 . 2009-07-20 17:05 -------- d-----w- c:\program files\ComcastUI
2009-07-12 17:46 . 2009-03-24 00:43 1 ----a-w- c:\documents and settings\Joel Woznicki\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-07-10 03:41 . 2007-02-16 01:37 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\McAfee
2009-07-09 19:16 . 2007-02-16 02:06 -------- d-----w- c:\program files\McAfee
2009-07-03 17:09 . 2004-08-04 11:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 20:24 . 2009-06-29 20:24 -------- d-----w- c:\program files\iTunes
2009-06-29 20:24 . 2009-06-29 20:24 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-29 20:24 . 2005-12-25 14:49 -------- d-----w- c:\program files\iPod
2009-06-29 20:24 . 2007-07-10 00:52 -------- d-----w- c:\program files\Common Files\Apple
2009-06-29 20:21 . 2006-03-14 02:56 -------- d-----w- c:\program files\QuickTime
2009-06-26 19:01 . 2009-06-26 04:33 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-06-26 01:17 . 2008-11-28 01:39 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\avg8
2009-06-23 17:30 . 2009-06-23 17:30 -------- d-----w- c:\program files\Nero
2009-06-22 16:18 . 2009-06-22 16:18 -------- d-----w- c:\documents and settings\Joel Woznicki\Application Data\Leadertech
2009-06-16 14:36 . 2004-08-04 11:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 11:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-14 01:04 . 2009-04-25 17:24 1 ----a-w- c:\documents and settings\Terese Woznicki\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-09 02:18 . 2009-04-18 14:24 1 ----a-w- c:\documents and settings\Alan Woznicki\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-03 23:50 . 2009-04-03 00:54 1 ----a-w- c:\documents and settings\Adam Woznicki\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-03 19:09 . 2004-08-04 11:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 02:08 . 2009-02-18 04:38 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-31 15:43 . 2004-12-30 00:53 68112 -c--a-w- c:\documents and settings\Elise Woznicki\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-25 16:24 . 2008-07-24 16:07 177034 ----a-w- c:\windows\hpwins19.dat
2008-04-24 02:35 . 2005-01-09 21:03 848 -csha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-08-19_06.40.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-19 19:21 . 2009-08-19 19:21 16384 c:\windows\Temp\Perflib_Perfdata_7cc.dat
+ 2004-12-29 00:45 . 2009-08-19 19:04 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-12-29 00:45 . 2009-08-19 06:22 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-12-29 00:45 . 2009-08-19 06:22 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-12-29 00:45 . 2009-08-19 19:04 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-12-29 00:45 . 2009-08-19 19:04 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2004-12-29 00:45 . 2009-08-19 06:22 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2009-04-18 22:01 . 2009-08-19 06:22 245760 c:\windows\SYSTEM32\CONFIG\systemprofile\IETldCache\index.dat
- 2009-04-18 22:01 . 2009-08-18 22:12 245760 c:\windows\SYSTEM32\CONFIG\systemprofile\IETldCache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-09 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 1388544]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-09-20 4583424]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-24 148888]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-30 520024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

c:\documents and settings\Adam Woznicki\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\Terese Woznicki\Start Menu\Programs\Startup\
Expedia Fare Alert.lnk - c:\program files\Expedia\Expedia Fare Alert\ExpediaFareAlert.exe [2007-2-12 696320]
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\Alan Woznicki\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\Elise Woznicki\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ lsdelete

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Joel Woznicki^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Joel Woznicki\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Documents and Settings\\AdamWoznicki\\My Documents\\HTML\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\WINDOWS\\SYSTEM32\\FXSCLNT.EXE"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqbam08.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [2/16/2009 11:00 PM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 1029456]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/28/2008 9:18 PM 210216]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\SYSTEM32\DRIVERS\motccgp.sys [4/24/2009 3:42 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\SYSTEM32\DRIVERS\motccgpfl.sys [4/24/2009 3:42 PM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\SYSTEM32\DRIVERS\motodrv.sys [4/24/2009 3:42 PM 42112]
S3 motport;Motorola USB Diagnostic Port;c:\windows\SYSTEM32\DRIVERS\motport.sys [4/24/2009 3:42 PM 23680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/clientapps/AutoSearch/SearchBarLM/YSetSearch/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-19 15:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
geyekrtvakqlrs.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(788)
geyekrtvakqlrs.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(456)
c:\windows\system32\WININET.dll
geyekrtvakqlrs.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\SYSTEM32\WBEM\UNSECAPP.EXE
c:\program files\iPod\bin\iPodService.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
.
**************************************************************************
.
Completion time: 2009-08-19 15:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-19 19:33
ComboFix2.txt 2009-08-19 06:43

Pre-Run: 82,384,433,152 bytes free
Post-Run: 82,318,958,592 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
238 --- E O F --- 2009-08-19 19:27

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:38 PM

Posted 20 August 2009 - 08:45 AM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    geyekrtvakqlrs.*
    
    :regfind
    geyekrtvakqlrs
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 joel3527

joel3527
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 20 August 2009 - 04:39 PM

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 17:33 on 20/08/2009 by Joel Woznicki (Administrator - Elevation successful)

========== filefind ==========

Searching for "geyekrtvakqlrs.*"
No files found.

========== regfind ==========

Searching for "geyekrtvakqlrs"
No data found.

-=End Of File=-

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:38 PM

Posted 21 August 2009 - 11:19 AM

Are there any other drives that have been associated with this computer?

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 joel3527

joel3527
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 22 August 2009 - 12:55 PM

im pretty sure we only have one drive, though im unsure of where i would have another
GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-22 13:54:41
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEBB4D4EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEBB4D498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEBB4D4AC]
Code 871776C0 ZwEnumerateKey
Code 86D931B0 ZwFlushInstructionCache
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEBB4D52A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEBB4D470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEBB4D484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEBB4D4FE]
Code 8717AAB6 ZwSaveKey
Code 8717B19E ZwSaveKeyEx
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEBB4D4D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEBB4D4C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEBB4D559]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEBB4D540]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEBB4D514]
Code 871795BE IofCallDriver
Code 8716FE56 IofCompleteRequest
Code 80A5D0BA KeFindConfigurationEntry
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E13A7 5 Bytes JMP 871795C3
.text ntoskrnl.exe!IofCompleteRequest 804E17BD 5 Bytes JMP 8716FE5B
.text ntoskrnl.exe!ZwYieldExecution 80515A6A 7 Bytes JMP EBB4D518 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 80578E14 5 Bytes JMP 871776C4
PAGE ntoskrnl.exe!NtCreateFile 8057C328 5 Bytes JMP EBB4D4EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8057CFC0 5 Bytes JMP EBB4D4C6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8057DEF1 5 Bytes JMP EBB4D544 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 8057E369 7 Bytes JMP EBB4D52E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 80581702 5 Bytes JMP EBB4D474 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80581889 7 Bytes JMP EBB4D502 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80587BFB 5 Bytes JMP 86D931B4
PAGE ntoskrnl.exe!ZwCreateProcessEx 8058B7CD 7 Bytes JMP EBB4D4B0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 8058E695 5 Bytes JMP EBB4D55D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B0470 5 Bytes JMP EBB4D49C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 805E1939 5 Bytes JMP EBB4D488 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 80635967 5 Bytes JMP EBB4D4DA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSaveKey 8065616E 5 Bytes JMP 8717AABA
PAGE ntoskrnl.exe!ZwSaveKeyEx 80656259 5 Bytes JMP 8717B1A2

---- User code sections - GMER 1.0.15 ----

.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[512] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0089000A
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[540] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003A000A
.text C:\WINDOWS\system32\winlogon.exe[732] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0062000A
.text C:\WINDOWS\system32\services.exe[780] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003A000A
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 013A0FE5
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 013A0082
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 013A0071
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 013A0056
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 013A002F
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 013A0F9E
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 013A0F61
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 013A00A9
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 013A00D5
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 013A00BA
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 013A0F2B
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 013A0F8D
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 013A0000
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 013A0F72
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 013A0FB9
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 013A0FCA
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 013A0F46
.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AB0FAF
.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AB0051
.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AB0FC0
.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AB0000
.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AB0036
.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AB0FE5
.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00AB0F94
.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CB, 88]
.text C:\WINDOWS\system32\services.exe[780] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AB001B
.text C:\WINDOWS\system32\services.exe[780] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AA0036
.text C:\WINDOWS\system32\services.exe[780] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AA0025
.text C:\WINDOWS\system32\services.exe[780] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AA0FBC
.text C:\WINDOWS\system32\services.exe[780] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AA0FE3
.text C:\WINDOWS\system32\services.exe[780] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AA0FAB
.text C:\WINDOWS\system32\services.exe[780] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AA0000
.text C:\WINDOWS\system32\services.exe[780] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00A80FE5
.text C:\WINDOWS\system32\services.exe[780] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00A80FD4
.text C:\WINDOWS\system32\services.exe[780] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00A80FC3
.text C:\WINDOWS\system32\services.exe[780] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00A80FA8
.text C:\WINDOWS\system32\services.exe[780] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A90FEF
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 010D0FEF
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 010D0F94
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 010D0089
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 010D006E
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 010D0051
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 010D002F
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010D0F72
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010D0F83
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010D0F43
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010D00DC
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010D00ED
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 010D0040
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 010D0FD4
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!CreatePipe 7C81D83F 3 Bytes JMP 010D00AE
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!CreatePipe + 4 7C81D843 1 Byte [84]
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 010D0014
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 010D0FC3
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010D00CB
.text C:\WINDOWS\system32\lsass.exe[792] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FF002C
.text C:\WINDOWS\system32\lsass.exe[792] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FF0F94
.text C:\WINDOWS\system32\lsass.exe[792] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FF001B
.text C:\WINDOWS\system32\lsass.exe[792] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\lsass.exe[792] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FF0FAF
.text C:\WINDOWS\system32\lsass.exe[792] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\lsass.exe[792] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FF0FC0
.text C:\WINDOWS\system32\lsass.exe[792] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1F, 89]
.text C:\WINDOWS\system32\lsass.exe[792] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FF003D
.text C:\WINDOWS\system32\lsass.exe[792] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E60F8D
.text C:\WINDOWS\system32\lsass.exe[792] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E60FA8
.text C:\WINDOWS\system32\lsass.exe[792] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E60022
.text C:\WINDOWS\system32\lsass.exe[792] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E60000
.text C:\WINDOWS\system32\lsass.exe[792] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E60FC3
.text C:\WINDOWS\system32\lsass.exe[792] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E60011
.text C:\WINDOWS\system32\lsass.exe[792] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E5000A
.text C:\WINDOWS\system32\lsass.exe[792] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00E40FEF
.text C:\WINDOWS\system32\lsass.exe[792] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00E40FD4
.text C:\WINDOWS\system32\lsass.exe[792] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00E40014
.text C:\WINDOWS\system32\lsass.exe[792] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00E4002F
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[804] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003E000A
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FB0000
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FB0F68
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FB0053
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FB0F79
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FB0F8A
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FB0FAF
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FB00A6
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FB0095
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FB0F1E
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FB00C1
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FB00DC
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FB0036
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FB0011
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FB0078
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FB0FC0
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FB0FD1
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FB0F43
.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FA0025
.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FA006C
.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FA0FD4
.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FA000A
.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FA005B
.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FA0FEF
.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FA0040
.text C:\WINDOWS\system32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FA0FB9
.text C:\WINDOWS\system32\svchost.exe[968] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F90FAD
.text C:\WINDOWS\system32\svchost.exe[968] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F90038
.text C:\WINDOWS\system32\svchost.exe[968] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F90FE3
.text C:\WINDOWS\system32\svchost.exe[968] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F90000
.text C:\WINDOWS\system32\svchost.exe[968] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F90FC8
.text C:\WINDOWS\system32\svchost.exe[968] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F9001D
.text C:\WINDOWS\system32\svchost.exe[968] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00F50FE5
.text C:\WINDOWS\system32\svchost.exe[968] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00F50FD4
.text C:\WINDOWS\system32\svchost.exe[968] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00F50FB9
.text C:\WINDOWS\system32\svchost.exe[968] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00F50FA8
.text C:\WINDOWS\system32\svchost.exe[968] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F80FEF
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FE0089
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FE0064
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FE0053
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FE0F94
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FE002C
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FE00D2
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FE00C1
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FE010B
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FE0F68
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FE011C
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FE0FA5
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FE0FE5
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FE009A
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FE001B
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FE0FCA
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FE0F79
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FC0FB9
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FC0F68
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FC0FCA
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FC0000
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FC0F8D
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FC0FEF
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FC002F
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FC0FA8
.text C:\WINDOWS\system32\svchost.exe[1068] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FB0FC8
.text C:\WINDOWS\system32\svchost.exe[1068] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FB0049
.text C:\WINDOWS\system32\svchost.exe[1068] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FB0FE3
.text C:\WINDOWS\system32\svchost.exe[1068] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FB000C
.text C:\WINDOWS\system32\svchost.exe[1068] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FB0038
.text C:\WINDOWS\system32\svchost.exe[1068] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FB001D
.text C:\WINDOWS\system32\svchost.exe[1068] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00F90000
.text C:\WINDOWS\system32\svchost.exe[1068] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00F90011
.text C:\WINDOWS\system32\svchost.exe[1068] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00F90022
.text C:\WINDOWS\system32\svchost.exe[1068] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00F9003D
.text C:\WINDOWS\system32\svchost.exe[1068] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FA000A
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02FB0FEF
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02FB0F80
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02FB0F9B
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02FB0069
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02FB0058
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02FB0036
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02FB0F52
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02FB009A
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02FB0F0B
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02FB0F1C
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02FB00BF
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02FB0047
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02FB000A
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02FB0F6F
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02FB001B
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02FB0FD4
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02FB0F37
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02FA0047
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02FA007D
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02FA002C
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02FA001B
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02FA0FB6
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02FA000A
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02FA0062
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02FA0FDB
.text C:\WINDOWS\System32\svchost.exe[1172] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02E10070
.text C:\WINDOWS\System32\svchost.exe[1172] msvcrt.dll!system 77C293C7 5 Bytes JMP 02E1005F
.text C:\WINDOWS\System32\svchost.exe[1172] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02E10029
.text C:\WINDOWS\System32\svchost.exe[1172] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02E1000C
.text C:\WINDOWS\System32\svchost.exe[1172] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02E1004E
.text C:\WINDOWS\System32\svchost.exe[1172] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02E10FEF
.text C:\WINDOWS\System32\svchost.exe[1172] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 02C50000
.text C:\WINDOWS\System32\svchost.exe[1172] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 02C50FDB
.text C:\WINDOWS\System32\svchost.exe[1172] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 02C50FCA
.text C:\WINDOWS\System32\svchost.exe[1172] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 02C50FB9
.text C:\WINDOWS\System32\svchost.exe[1172] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02E00000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1248] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0080000A
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1248] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1248] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[1284] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0066000A
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00930076
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00930F8B
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00930065
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00930FA8
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00930036
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00930093
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00930F4B
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009300C6
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009300B5
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00930F12
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00930FB9
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00930FEF
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00930F66
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00930FCA
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00930025
.text C:\WINDOWS\system32\svchost.exe[1284] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009300A4
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00920FDB
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00920073
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0092002C
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0092001B
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00920FB6
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0092000A
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00920058
.text C:\WINDOWS\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00920047
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00910FB7
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!system 77C293C7 5 Bytes JMP 00910FD2
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00910038
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0091000C
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00910FE3
.text C:\WINDOWS\system32\svchost.exe[1284] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0091001D
.text C:\WINDOWS\system32\svchost.exe[1284] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\svchost.exe[1284] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 0090001B
.text C:\WINDOWS\system32\svchost.exe[1284] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00900FE5
.text C:\WINDOWS\system32\svchost.exe[1284] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00900FCA
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A40FE5
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A4002C
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A40F37
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A40F5E
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A4001B
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A40000
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!GetStartupInfoW 7C801E54 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A40058
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A40F1C
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A40EDD
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A40EEE
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A40091
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A40F79
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A40FD4
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A4003D
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A40F94
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A40FB9
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A40EFF
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A3005B
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A30091
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A30036
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A30025
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A30080
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A30000
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A30FDE
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C3, 88]
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A30FEF
.text C:\WINDOWS\system32\svchost.exe[1340] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A20FA6
.text C:\WINDOWS\system32\svchost.exe[1340] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A20031
.text C:\WINDOWS\system32\svchost.exe[1340] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A20FD2
.text C:\WINDOWS\system32\svchost.exe[1340] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A20FE3
.text C:\WINDOWS\system32\svchost.exe[1340] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A20FC1
.text C:\WINDOWS\system32\svchost.exe[1340] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A20000
.text C:\WINDOWS\system32\svchost.exe[1340] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00A00FE5
.text C:\WINDOWS\system32\svchost.exe[1340] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00A00FD4
.text C:\WINDOWS\system32\svchost.exe[1340] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00A00FC3
.text C:\WINDOWS\system32\svchost.exe[1340] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00A00014
.text C:\WINDOWS\system32\svchost.exe[1340] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A10FEF
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[1372] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 006B000A
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CA0000
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CA0FAC
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CA00A1
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CA0084
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CA0073
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CA0047
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CA0F91
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CA00D7
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CA00FE
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateProcessA 7C80236B 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CA0F6F
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CA0119
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CA0058
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CA001B
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CA00BC
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CA0FE5
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CA0036
.text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CA0F80
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C90FAF
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C90051
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C90000
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C90FD4
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C90F8A
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C90FE5
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C9002C
.text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C9001B
.text C:\WINDOWS\system32\svchost.exe[1464] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C8006E
.text C:\WINDOWS\system32\svchost.exe[1464] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C80049
.text C:\WINDOWS\system32\svchost.exe[1464] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C8002E
.text C:\WINDOWS\system32\svchost.exe[1464] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C8000C
.text C:\WINDOWS\system32\svchost.exe[1464] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C80FD9
.text C:\WINDOWS\system32\svchost.exe[1464] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C8001D
.text C:\WINDOWS\system32\svchost.exe[1464] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00C60FE5
.text C:\WINDOWS\system32\svchost.exe[1464] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00C60FD4
.text C:\WINDOWS\system32\svchost.exe[1464] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00C60FAF
.text C:\WINDOWS\system32\svchost.exe[1464] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\svchost.exe[1464] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C70FEF
.text C:\Program Files\iPod\bin\iPodService.exe[1712] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0071000A
.text C:\WINDOWS\system32\svchost.exe[1760] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0066000A
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D00000
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D00F88
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D00F99
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D00073
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D00062
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D00FCA
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D000A2
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D00F5A
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D00F24
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D00F35
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D000D8
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D00047
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D00011
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D00F77
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D00FDB
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D00022
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D000BD
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C00047
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C00FC0
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C0002C
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C00011
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C0007D
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C00000
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C00FDB
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E0, 88] {LOOPNZ 0xffffffffffffff8a}
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C00058
.text C:\WINDOWS\system32\svchost.exe[1760] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BF0F8B
.text C:\WINDOWS\system32\svchost.exe[1760] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BF0FA6
.text C:\WINDOWS\system32\svchost.exe[1760] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BF0FC1
.text C:\WINDOWS\system32\svchost.exe[1760] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[1760] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BF0016
.text C:\WINDOWS\system32\svchost.exe[1760] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BF0FD2
.text C:\WINDOWS\system32\svchost.exe[1760] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00BD000A
.text C:\WINDOWS\system32\svchost.exe[1760] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00BD001B
.text C:\WINDOWS\system32\svchost.exe[1760] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00BD0036
.text C:\WINDOWS\system32\svchost.exe[1760] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\system32\svchost.exe[1760] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[1888] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0066000A
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E90FEF
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E9006E
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E90049
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E90F6F
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E90F80
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E9001B
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E90F37
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E90F54
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E90090
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E90F01
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E900AB
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E9002C
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E90FD4
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E9007F
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E90FB9
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E9000A
.text C:\WINDOWS\system32\svchost.exe[1888] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E90F1C
.text C:\WINDOWS\system32\svchost.exe[1888] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E8002C
.text C:\WINDOWS\system32\svchost.exe[1888] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E80F94
.text C:\WINDOWS\system32\svchost.exe[1888] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E8001B
.text C:\WINDOWS\system32\svchost.exe[1888] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E80FE5
.text C:\WINDOWS\system32\svchost.exe[1888] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E80FA5
.text C:\WINDOWS\system32\svchost.exe[1888] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E8000A
.text C:\WINDOWS\system32\svchost.exe[1888] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E80047
.text C:\WINDOWS\system32\svchost.exe[1888] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E80FB6
.text C:\WINDOWS\system32\svchost.exe[1888] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E70033
.text C:\WINDOWS\system32\svchost.exe[1888] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E70FA8
.text C:\WINDOWS\system32\svchost.exe[1888] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E70FCD
.text C:\WINDOWS\system32\svchost.exe[1888] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E70FEF
.text C:\WINDOWS\system32\svchost.exe[1888] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E70018
.text C:\WINDOWS\system32\svchost.exe[1888] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E70FDE
.text C:\WINDOWS\system32\svchost.exe[1888] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00E60000
.text C:\WINDOWS\system32\svchost.exe[1888] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00E60011
.text C:\WINDOWS\system32\svchost.exe[1888] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00E60FDB
.text C:\WINDOWS\system32\svchost.exe[1888] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00E6002C
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[1968] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0069000A
.text C:\WINDOWS\System32\svchost.exe[1976] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0066000A
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00990F7E
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00990073
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00990F99
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00990062
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00990040
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0099009F
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00990F63
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00990F21
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009900BA
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00990F10
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00990051
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00990FEF
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0099008E
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0099002F
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00990FDE
.text C:\WINDOWS\System32\svchost.exe[1976] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00990F32
.text C:\WINDOWS\System32\svchost.exe[1976] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00980FCA
.text C:\WINDOWS\System32\svchost.exe[1976] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00980F79
.text C:\WINDOWS\System32\svchost.exe[1976] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0098001B
.text C:\WINDOWS\System32\svchost.exe[1976] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0098000A
.text C:\WINDOWS\System32\svchost.exe[1976] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00980F8A
.text C:\WINDOWS\System32\svchost.exe[1976] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00980FEF
.text C:\WINDOWS\System32\svchost.exe[1976] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00980036
.text C:\WINDOWS\System32\svchost.exe[1976] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00980FAF
.text C:\WINDOWS\System32\svchost.exe[1976] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00970FAF
.text C:\WINDOWS\System32\svchost.exe[1976] msvcrt.dll!system 77C293C7 5 Bytes JMP 00970044
.text C:\WINDOWS\System32\svchost.exe[1976] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00970033
.text C:\WINDOWS\System32\svchost.exe[1976] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00970FEF
.text C:\WINDOWS\System32\svchost.exe[1976] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00970FDE
.text C:\WINDOWS\System32\svchost.exe[1976] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00970018
.text C:\WINDOWS\System32\svchost.exe[1976] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00950FEF
.text C:\WINDOWS\System32\svchost.exe[1976] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 0095000A
.text C:\WINDOWS\System32\svchost.exe[1976] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 0095001B
.text C:\WINDOWS\System32\svchost.exe[1976] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00950FCA
.text C:\WINDOWS\System32\svchost.exe[1976] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00960FE5
.text C:\WINDOWS\system32\nvsvc32.exe[2060] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 006A000A
.text C:\WINDOWS\System32\svchost.exe[2076] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0066000A
.text C:\WINDOWS\System32\svchost.exe[2076] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00990FEF
.text C:\WINDOWS\System32\svchost.exe[2076] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00990062
.text C:\WINDOWS\System32\svchost.exe[2076] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00990047
.text C:\WINDOWS\System32\svchost.exe[2076] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00990F6D
.text C:\WINDOWS\System32\svchost.exe[2076] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00990036
.text C:\WINDOWS\System32\svchost.exe[2076] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00990025
.text C:\WINDOWS\System32\svchost.exe[2076] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0099009A
.text C:\WINDOWS\System32\svchost.exe[2076] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00990089
.text C:\WINDOWS\System32\svchost.exe[2076] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009900EB
.text C:\WINDOWS\System32\svchost.exe[2076] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009900DA
.text C:\WINDOWS\System32\svchost.exe[2076] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00990F2D
.text C:\WINDOWS\System32\svchost.exe[2076] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00990F9E
.text C:\WINDOWS\System32\svchost.exe[2076] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00990FDE
.text C:\WINDOWS\System32\svchost.exe[2076] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00990F52
.text C:\WINDOWS\System32\svchost.exe[2076] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00990014
.text C:\WINDOWS\System32\svchost.exe[2076] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00990FC3
.text C:\WINDOWS\System32\svchost.exe[2076] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009900BF
.text C:\WINDOWS\System32\svchost.exe[2076] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00980FB2
.text C:\WINDOWS\System32\svchost.exe[2076] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00980F75
.text C:\WINDOWS\System32\svchost.exe[2076] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00980FCD
.text C:\WINDOWS\System32\svchost.exe[2076] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00980FDE
.text C:\WINDOWS\System32\svchost.exe[2076] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00980F86
.text C:\WINDOWS\System32\svchost.exe[2076] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00980FEF
.text C:\WINDOWS\System32\svchost.exe[2076] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00980FA1
.text C:\WINDOWS\System32\svchost.exe[2076] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B8, 88]
.text C:\WINDOWS\System32\svchost.exe[2076] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00980028
.text C:\WINDOWS\System32\svchost.exe[2076] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00970F9C
.text C:\WINDOWS\System32\svchost.exe[2076] msvcrt.dll!system 77C293C7 5 Bytes JMP 00970027
.text C:\WINDOWS\System32\svchost.exe[2076] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00970FD2
.text C:\WINDOWS\System32\svchost.exe[2076] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00970FEF
.text C:\WINDOWS\System32\svchost.exe[2076] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00970FB7
.text C:\WINDOWS\System32\svchost.exe[2076] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0097000C
.text C:\WINDOWS\System32\svchost.exe[2076] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00950000
.text C:\WINDOWS\System32\svchost.exe[2076] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00950FDB
.text C:\WINDOWS\System32\svchost.exe[2076] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00950011
.text C:\WINDOWS\System32\svchost.exe[2076] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00950FC0
.text C:\WINDOWS\System32\svchost.exe[2076] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00960FEF
.text C:\WINDOWS\system32\svchost.exe[2200] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0066000A
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01010FEF
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01010085
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01010F86
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01010F97
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01010FB2
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01010040
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01010F3D
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01010F4E
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010100BB
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010100A0
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01010F07
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01010FC3
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01010FD4
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01010F6B
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0101002F
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0101000A
.text C:\WINDOWS\system32\svchost.exe[2200] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01010F22
.text C:\WINDOWS\system32\svchost.exe[2200] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FF0022
.text C:\WINDOWS\system32\svchost.exe[2200] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FF004E
.text C:\WINDOWS\system32\svchost.exe[2200] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FF0FDB
.text C:\WINDOWS\system32\svchost.exe[2200] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FF0011
.text C:\WINDOWS\system32\svchost.exe[2200] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FF0F91
.text C:\WINDOWS\system32\svchost.exe[2200] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\svchost.exe[2200] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FF0FAC
.text C:\WINDOWS\system32\svchost.exe[2200] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1F, 89]
.text C:\WINDOWS\system32\svchost.exe[2200] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FF003D
.text C:\WINDOWS\system32\svchost.exe[2200] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FE004E
.text C:\WINDOWS\system32\svchost.exe[2200] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FE003D
.text C:\WINDOWS\system32\svchost.exe[2200] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FE0FCD
.text C:\WINDOWS\system32\svchost.exe[2200] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\svchost.exe[2200] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FE0022
.text C:\WINDOWS\system32\svchost.exe[2200] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FE0FDE
.text C:\WINDOWS\system32\svchost.exe[2200] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\svchost.exe[2200] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 00FD0011
.text C:\WINDOWS\system32\svchost.exe[2200] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00FD0FD1
.text C:\WINDOWS\system32\svchost.exe[2200] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 00FD0022
.text c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe[2576] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00CC000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[2664] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00D2000A
.text C:\WINDOWS\Explorer.EXE[2704] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00BA000A
.text C:\WINDOWS\Explorer.EXE[2704] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0000
.text C:\WINDOWS\Explorer.EXE[2704] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F61
.text C:\WINDOWS\Explorer.EXE[2704] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F72
.text C:\WINDOWS\Explorer.EXE[2704] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0F8D
.text C:\WINDOWS\Explorer.EXE[2704] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B004A
.text C:\WINDOWS\Explorer.EXE[2704] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FA8
.text C:\WINDOWS\Explorer.EXE[2704] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F2B
.text C:\WINDOWS\Explorer.EXE[2704] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F46
.text C:\WINDOWS\Explorer.EXE[2704] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F1A
.text C:\WINDOWS\Explorer.EXE[2704] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B00B3
.text C:\WINDOWS\Explorer.EXE[2704] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B00CE
.text C:\WINDOWS\Explorer.EXE[2704] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B002F
.text C:\WINDOWS\Explorer.EXE[2704] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\Explorer.EXE[2704] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0071
.text C:\WINDOWS\Explorer.EXE[2704] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\Explorer.EXE[2704] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\Explorer.EXE[2704] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B0098
.text C:\WINDOWS\Explorer.EXE[2704] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0FDB
.text C:\WINDOWS\Explorer.EXE[2704] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0073
.text C:\WINDOWS\Explorer.EXE[2704] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0036
.text C:\WINDOWS\Explorer.EXE[2704] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A001B
.text C:\WINDOWS\Explorer.EXE[2704] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0FC0
.text C:\WINDOWS\Explorer.EXE[2704] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A000A
.text C:\WINDOWS\Explorer.EXE[2704] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002A0062
.text C:\WINDOWS\Explorer.EXE[2704] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0047
.text C:\WINDOWS\Explorer.EXE[2704] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B007F
.text C:\WINDOWS\Explorer.EXE[2704] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0064
.text C:\WINDOWS\Explorer.EXE[2704] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B0038
.text C:\WINDOWS\Explorer.EXE[2704] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B000C
.text C:\WINDOWS\Explorer.EXE[2704] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B0049
.text C:\WINDOWS\Explorer.EXE[2704] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B001D
.text C:\WINDOWS\Explorer.EXE[2704] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 002D0000
.text C:\WINDOWS\Explorer.EXE[2704] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 002D0011
.text C:\WINDOWS\Explorer.EXE[2704] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 002D002C
.text C:\WINDOWS\Explorer.EXE[2704] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 002D003D
.text C:\WINDOWS\Explorer.EXE[2704] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02800FE5
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2880] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00ED000A
.text C:\Documents and Settings\Joel Woznicki\Desktop\gmer.exe[3348] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003A000A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3432] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0075000A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3476] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003C000A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3540] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0075000A
.text ...
.text C:\WINDOWS\system32\wuauclt.exe[4212] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0000
.text C:\WINDOWS\system32\wuauclt.exe[4212] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C0F72
.text C:\WINDOWS\system32\wuauclt.exe[4212] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0F83
.text C:\WINDOWS\system32\wuauclt.exe[4212] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C0067
.text C:\WINDOWS\system32\wuauclt.exe[4212] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C004A
.text C:\WINDOWS\system32\wuauclt.exe[4212] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0FC3
.text C:\WINDOWS\system32\wuauclt.exe[4212] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C00A7
.text C:\WINDOWS\system32\wuauclt.exe[4212] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0F61
.text C:\WINDOWS\system32\wuauclt.exe[4212] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C0F1F
.text C:\WINDOWS\system32\wuauclt.exe[4212] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C0F3A
.text C:\WINDOWS\system32\wuauclt.exe[4212] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C0F04
.text C:\WINDOWS\system32\wuauclt.exe[4212] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C0FA8
.text C:\WINDOWS\system32\wuauclt.exe[4212] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C001B
.text C:\WINDOWS\system32\wuauclt.exe[4212] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C008C
.text C:\WINDOWS\system32\wuauclt.exe[4212] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C0FD4
.text C:\WINDOWS\system32\wuauclt.exe[4212] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C0FE5
.text C:\WINDOWS\system32\wuauclt.exe[4212] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C00B8
.text C:\WINDOWS\system32\wuauclt.exe[4212] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B0F95
.text C:\WINDOWS\system32\wuauclt.exe[4212] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0FA6
.text C:\WINDOWS\system32\wuauclt.exe[4212] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B0FC8
.text C:\WINDOWS\system32\wuauclt.exe[4212] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0000
.text C:\WINDOWS\system32\wuauclt.exe[4212] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B0FB7
.text C:\WINDOWS\system32\wuauclt.exe[4212] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B0FE3
.text C:\WINDOWS\system32\wuauclt.exe[4212] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002C0FCA
.text C:\WINDOWS\system32\wuauclt.exe[4212] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002C0F9E
.text C:\WINDOWS\system32\wuauclt.exe[4212] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002C0025
.text C:\WINDOWS\system32\wuauclt.exe[4212] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002C0014
.text C:\WINDOWS\system32\wuauclt.exe[4212] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002C005B
.text C:\WINDOWS\system32\wuauclt.exe[4212] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\system32\wuauclt.exe[4212] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002C0FB9
.text C:\WINDOWS\system32\wuauclt.exe[4212] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4C, 88]
.text C:\WINDOWS\system32\wuauclt.exe[4212] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002C0040
.text C:\WINDOWS\system32\wuauclt.exe[4212] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 0069000A
.text C:\WINDOWS\system32\wuauclt.exe[4212] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 0069001B
.text C:\WINDOWS\system32\wuauclt.exe[4212] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00690FEF
.text C:\WINDOWS\system32\wuauclt.exe[4212] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 0069004A
.text C:\WINDOWS\system32\wuauclt.exe[4212] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0091000A
.text C:\Program Files\QuickTime\qttask.exe[4532] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003E000A
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[4564] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003F000A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[4588] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003D000A
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe[4820] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00DE000A
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[5064] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00ED000A
.text ...

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [232] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [512] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\Program Files\McAfee\MPF\MPFSrv.exe [540] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [732] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [780] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [792] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [804] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ c:\program files\common files\mcafee\mna\mcnasvc.exe [1012] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1068] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1172] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [1248] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1284] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1340] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [1372] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1464] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [1524] 0x00D10000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1588] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\Program Files\iPod\bin\iPodService.exe [1712] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1760] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [1796] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [1828] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [1876] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1888] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe [1968] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1976] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [2008] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\WINDOWS\system32\nvsvc32.exe [2060] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [2076] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2112] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [2200] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe [2576] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ c:\PROGRA~1\mcafee.com\agent\mcagent.exe [2664] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [2704] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\WINDOWS\system32\wbem\unsecapp.exe [2880] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\Program Files\iTunes\iTunesHelper.exe [2976] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\Documents and Settings\Joel Woznicki\Desktop\gmer.exe [3348] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\WINDOWS\system32\wbem\wmiprvse.exe [3432] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe [3476] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\WINDOWS\system32\wbem\wmiprvse.exe [3540] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [3600] 0x01010000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [4012] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe [4156] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\WINDOWS\system32\wuauclt.exe [4212] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\Program Files\QuickTime\qttask.exe [4532] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe [4564] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [4588] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [4820] 0x003F0000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe [5064] 0x00A60000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [5128] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jusched.exe [5240] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe [5520] 0x003D0000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\WINDOWS\system32\wscript.exe [5812] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrtvakqlrs.dll (*** hidden *** ) @ C:\Program Files\Dell Support Center\bin\sprtcmd.exe [6084] 0x10000000

---- EOF - GMER 1.0.15 ----





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users