Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox and IE Search Engine Redirects


  • This topic is locked This topic is locked
27 replies to this topic

#1 Amanda78

Amanda78

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 17 November 2009 - 10:42 PM

My browsers keep being redirected when I click on search results. Happens in both Firefox and IE, regardless of which search engine is used. Also, additional tabs will open on their own with ads and such in them. The sequence of events which have brought me to this point are as follows:
- Antivirus System Pro started popping up and causing error messages to start appearing shortly after bootup.
- Ran Malwarebytes Anti-Malware, SuperAntiSpyware, and Spyware Doctor. It found some stuff, which I would have those programs remove, but after removal, I'd rerun the scan and it seemed the same items were there. (I only used Spyware Doctor to scan my system, I haven't actually bought the program yet so I couldn't use it to remove any of its findings.)
- After updating Windows Defender, it found Trojan:Win32/FakeSpypro. After repeated attempts, it finally removed it (instead of just putting it in quarantine).
- After a McAfee update (which it does daily), it finally alerted me that I had a Trojan Spyware. I ran the scan and deleted all found infections.
- Now the browsers FF & IE started redirecting to random sites and random tabs open up at will.
- The only search engine that doesn't redirect me is startpage.com (just FYI)
- Now I have found BleepingComputers and I'm hoping someone can help me before I lose my mind... (Did I mention I'm the mother of 1 yr old twins... Doesn't take much to make me lose my mind these days... :(

Here is my HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23:43 PM, on 11/17/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16851)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\wuauclt.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Amanda\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] "C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] "rundll32.exe" C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P7 /q C:\Users\Amanda\AppData\Local\Temp\HSPERF~1.SH! (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P7 /q C:\Users\Amanda\AppData\Local\Temp\HSPERF~1.SH! (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: McAfee Security Scan.lnk = ?
O4 - Global Startup: QuickSet.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)
O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program Files\Seagate\Sync\SeaSyncServices.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10836 bytes

BC AdBot (Login to Remove)

 


#2 Amanda78

Amanda78
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 22 November 2009 - 10:23 AM

I know you're not supposed to "BUMP" topics but others that have just posted their problem within the last two days are getting help. I posted mine back on the 17th... Please help!!!

Thank you,
Amanda :(

#3 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:09:23 AM

Posted 25 November 2009 - 09:07 PM

Hello, Amanda78.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Please note that I am in the process of my training so it may take a while for me to get back to you, as each of my fixes need to be checked by a coach first.

We need to run RSIT
  • Download random's system information tool (RSIT) by random/random and save it to your desktop.
  • Double click on RSIT.exe.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
In your next reply, please include the following:
  • Log.txt
  • info.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#4 Amanda78

Amanda78
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 27 November 2009 - 11:29 PM

Hello aommaster,

Thank you so much for trying to help me with this problem. Below is the log file and the info file is attached. Tomorrow I'm hosting a birthday party for my girls so I may not be able to respond tomorrow but I will check back as soon as I can, either tomorrow evening or Sunday morning.

Thanks again for your help in advance!

Amanda

Logfile of random's system information tool 1.06 (written by random/random)
Run by Amanda at 2009-11-27 21:52:38
Microsoft® Windows Vista™ Home Premium
System drive C: has 40 GB (29%) free of 140 GB
Total RAM: 2046 MB (38% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:53:02 PM, on 11/27/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16851)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\Amanda\Desktop\RSIT.exe
C:\Users\Amanda\Desktop\Amanda.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] "C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] "rundll32.exe" C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P7 /q C:\Users\Amanda\AppData\Local\Temp\HSPERF~1.SH! (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P7 /q C:\Users\Amanda\AppData\Local\Temp\HSPERF~1.SH! (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: McAfee Security Scan.lnk = ?
O4 - Global Startup: QuickSet.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)
O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program Files\Seagate\Sync\SeaSyncServices.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10825 bytes

======Scheduled tasks folder======

C:\Windows\tasks\McDefragTask.job
C:\Windows\tasks\McQcTask.job
C:\Windows\tasks\User_Feed_Synchronization-{DD3F53E4-F1AC-420B-B3EF-93F3BB4B968A}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 63128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27B4851A-3207-45A2-B947-BE8AFE6163AB}]
McAfee Phishing Filter - c:\PROGRA~1\mcafee\msk\mskapbho.dll [2009-07-08 246800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-07-26 308856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll [2009-09-16 62784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]
McAfee SiteAdvisor BHO - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-02-13 150032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
CBrowserHelperObject Object - C:\Program Files\BAE\BAE.dll [2007-03-16 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-02-13 150032]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2007-08-20 1006264]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2007-04-27 857648]
"OEM02Mon.exe"=C:\Windows\OEM02Mon.exe [2007-05-09 36864]
"SigmatelSysTrayApp"=C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe [2007-06-25 405504]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2006-09-11 86960]
"PCMService"=C:\Program Files\Dell\MediaDirect\PCMService.exe [2007-04-16 184320]
"NvSvc"=C:\Windows\system32\nvsvc.dll [2007-10-04 86016]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2007-10-04 8497696]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2007-10-04 81920]
"NVHotkey"=C:\Windows\system32\nvHotkey.dll [2007-10-04 86016]
"Kernel and Hardware Abstraction Layer"=C:\Windows\KHALMNPR.EXE [2007-01-23 101136]
"LogitechCommunicationsManager"=C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe [2007-01-12 488984]
"LVCOMSX"=C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe [2007-01-12 244512]
"DellSupportCenter"=C:\Program Files\Dell Support Center\bin\sprtcmd.exe [2009-05-21 206064]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-07-26 185896]
"dscactivate"=C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe [2007-11-15 16384]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2009-10-29 1218008]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-09-05 417792]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-09-21 305440]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2008-01-27 1232896]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2006-11-02 125440]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe [2007-08-08 148760]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe [2007-08-08 1945424]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\DellSupport\DSAgnt.exe [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
C:\Program Files\Dell Support Center\bin\sprtcmd.exe [2009-05-21 206064]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe [2007-08-08 1169456]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe [2007-11-15 16384]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MioNet]
C:\Program Files\MioNet\MioNetLauncher.exe /p []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmapp]
C:\Program Files\Pure Networks\Network Magic\nmapp.exe [2008-01-18 451896]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmctxth]
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe [2008-01-08 451896]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2009-09-05 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StxTrayMenu]
C:\Program Files\Seagate\SystemTray\FreeAgentLauncher.exe [2007-01-18 79416]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-07-26 185896]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XboxStat]
c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe silentrun []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
C:\PROGRA~1\Logitech\DESKTO~1\8876480\Program\LOGITE~1.EXE [2008-02-16 67128]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
C:\PROGRA~1\Logitech\SetPoint\SetPoint.exe [2007-01-30 688128]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^Amanda^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
C:\PROGRA~1\MICROS~2\Office12\ONENOTEM.EXE [2008-10-25 98696]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe
McAfee Security Scan.lnk - C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
QuickSet.lnk - C:\Windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=255

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe"="C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe"="C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{130e2757-f114-11dd-b0f4-001c26f430cf}]
shell\AutoRun\command - G:\InstallSeagateManager.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19c5de1e-db4e-11dc-97ac-001c26f430cf}]
shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29eb71af-7384-11dc-b9ac-001c26f430cf}]
shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{49d70902-ab1a-11dc-bc6d-001c26f430cf}]
shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e29ddf5-6f54-11dc-bcca-001c26f430cf}]
shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\Info.exe protect.ed 480 480


======List of files/folders created in the last 1 months======

2009-11-27 21:52:38 ----D---- C:\rsit
2009-11-22 10:19:00 ----D---- C:\ProgramData\Real
2009-11-16 23:21:34 ----A---- C:\Windows\system32\lsdelete.exe
2009-11-16 21:49:43 ----HDC---- C:\ProgramData\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-16 21:49:22 ----D---- C:\ProgramData\Lavasoft
2009-11-16 21:49:22 ----D---- C:\Program Files\Lavasoft
2009-11-08 21:55:40 ----N---- C:\Windows\system32\MpSigStub.exe
2009-11-07 15:14:32 ----D---- C:\ProgramData\SUPERAntiSpyware.com
2009-11-07 15:14:08 ----D---- C:\Users\Amanda\AppData\Roaming\SUPERAntiSpyware.com
2009-11-07 15:14:08 ----D---- C:\Program Files\SUPERAntiSpyware
2009-11-07 13:21:15 ----D---- C:\Users\Amanda\AppData\Roaming\Malwarebytes
2009-11-07 13:21:07 ----D---- C:\ProgramData\Malwarebytes
2009-11-07 13:21:06 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-10-28 18:59:09 ----A---- C:\Windows\system32\wups2.dll
2009-10-28 18:59:08 ----A---- C:\Windows\system32\wucltux.dll
2009-10-28 18:59:08 ----A---- C:\Windows\system32\wuaueng.dll
2009-10-28 18:59:08 ----A---- C:\Windows\system32\wuauclt.exe
2009-10-28 18:58:29 ----A---- C:\Windows\system32\wups.dll
2009-10-28 18:58:29 ----A---- C:\Windows\system32\wudriver.dll
2009-10-28 18:58:29 ----A---- C:\Windows\system32\wuapi.dll
2009-10-28 18:58:15 ----A---- C:\Windows\system32\wuwebv.dll
2009-10-28 18:58:15 ----A---- C:\Windows\system32\wuapp.exe

======List of files/folders modified in the last 1 months======

2009-11-27 21:52:59 ----D---- C:\Windows\Temp
2009-11-27 21:52:49 ----D---- C:\Windows\Prefetch
2009-11-27 21:49:50 ----D---- C:\Windows\System32
2009-11-27 21:49:50 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-11-27 21:49:49 ----D---- C:\Windows\inf
2009-11-27 21:44:57 ----D---- C:\Program Files\Mozilla Firefox
2009-11-27 21:43:48 ----D---- C:\Windows\system32\Tasks
2009-11-27 08:25:33 ----AD---- C:\Windows
2009-11-26 08:33:44 ----D---- C:\Windows\Tasks
2009-11-22 10:19:00 ----HD---- C:\ProgramData
2009-11-20 19:46:49 ----A---- C:\Windows\ntbtlog.txt
2009-11-19 08:37:50 ----D---- C:\Windows\system32\drivers
2009-11-16 21:50:35 ----D---- C:\Windows\system32\catroot
2009-11-16 21:50:34 ----DC---- C:\Windows\system32\DRVSTORE
2009-11-16 21:49:43 ----SHD---- C:\Windows\Installer
2009-11-16 21:49:22 ----RD---- C:\Program Files
2009-11-14 15:08:13 ----D---- C:\Program Files\Microsoft Silverlight
2009-11-12 21:12:01 ----D---- C:\Program Files\Common Files
2009-11-12 21:08:12 ----AD---- C:\ProgramData\TEMP
2009-11-12 21:06:27 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-11-08 17:59:30 ----D---- C:\Windows\system32\catroot2
2009-11-08 17:50:22 ----SHD---- C:\System Volume Information
2009-11-08 10:07:52 ----D---- C:\Windows\winsxs
2009-10-29 08:01:31 ----D---- C:\Windows\system32\en-US

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 mfehidk;McAfee Inc. mfehidk; C:\Windows\system32\drivers\mfehidk.sys [2009-09-16 214664]
R1 MPFP;MPFP; C:\Windows\System32\Drivers\Mpfp.sys [2009-07-16 130424]
R2 dsunidrv;DellSupport UniDriver; C:\Windows\system32\DRIVERS\dsunidrv.sys [2007-02-25 5376]
R2 Hardlock;Hardlock; C:\Windows\system32\drivers\hardlock.sys [2006-11-22 693760]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 pnarp;Pure Networks Device Discovery Driver; C:\Windows\system32\DRIVERS\pnarp.sys [2008-01-08 24888]
R2 rimmptsk;rimmptsk; C:\Windows\system32\DRIVERS\rimmptsk.sys [2006-11-27 32256]
R2 rimsptsk;rimsptsk; C:\Windows\system32\DRIVERS\rimsptsk.sys [2006-11-27 43520]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdptsk.sys [2006-11-27 37376]
R2 tifsfilter;Acronis True Image FS Filter; C:\Windows\system32\DRIVERS\tifsfilt.sys [2007-12-08 32768]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 8192]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\Windows\system32\DRIVERS\bcm4sbxp.sys [2006-11-21 45568]
R3 BthEnum;Bluetooth Enumerator Service; C:\Windows\system32\DRIVERS\BthEnum.sys [2008-04-28 19456]
R3 BthPan;Bluetooth Device (Personal Area Network); C:\Windows\system32\DRIVERS\bthpan.sys [2006-11-02 92160]
R3 BTHUSB;Bluetooth Radio USB Driver; C:\Windows\System32\Drivers\BTHUSB.sys [2008-04-28 29184]
R3 btwaudio;Bluetooth Audio Device Service; C:\Windows\system32\drivers\btwaudio.sys [2006-11-06 78128]
R3 btwavdt;Bluetooth AVDT; C:\Windows\system32\drivers\btwavdt.sys [2006-11-06 80176]
R3 btwrchid;btwrchid; C:\Windows\system32\DRIVERS\btwrchid.sys [2006-11-06 16560]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2007-11-17 14208]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2006-11-02 986624]
R3 HSXHWAZL;HSXHWAZL; C:\Windows\system32\DRIVERS\HSXHWAZL.sys [2006-11-02 206848]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\Windows\system32\drivers\mfeavfk.sys [2009-09-16 79816]
R3 mfebopk;McAfee Inc. mfebopk; C:\Windows\system32\drivers\mfebopk.sys [2009-09-16 35272]
R3 mfesmfk;McAfee Inc. mfesmfk; C:\Windows\system32\drivers\mfesmfk.sys [2009-09-16 40552]
R3 NETw4v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw4v32.sys [2007-02-25 2216448]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2007-10-04 7628608]
R3 OEM02Dev;Creative Camera OEM002 Driver; C:\Windows\system32\DRIVERS\OEM02Dev.sys [2007-10-10 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver; C:\Windows\system32\DRIVERS\OEM02Vfx.sys [2007-03-05 7424]
R3 pcouffin;VSO Software pcouffin; C:\Windows\System32\Drivers\pcouffin.sys [2007-08-27 47360]
R3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\Windows\system32\DRIVERS\rfcomm.sys [2006-11-02 49664]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2007-08-25 82432]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\Windows\system32\drivers\stwrt.sys [2007-06-25 326656]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2007-04-27 182456]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2006-11-02 659968]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2007-11-17 11264]
S3 BTHPORT;Bluetooth Port Driver; C:\Windows\System32\Drivers\BTHport.sys [2008-04-28 220160]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2006-11-02 5632]
S3 DSproct;DSproct; \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys [2006-10-05 4736]
S3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2006-11-02 200704]
S3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; C:\Windows\system32\DRIVERS\LHidFilt.Sys [2007-01-23 34576]
S3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; C:\Windows\system32\DRIVERS\LMouFilt.Sys [2007-01-23 33296]
S3 mferkdk;McAfee Inc. mferkdk; C:\Windows\system32\drivers\mferkdk.sys [2009-09-16 34248]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2006-11-02 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2006-11-02 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2006-11-02 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2006-11-02 6016]
S3 R300;R300; C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 2028032]
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM); C:\Windows\system32\DRIVERS\sscdbus.sys [2005-08-17 58352]
S3 sscdmdfl;SAMSUNG CDMA Modem Filter; C:\Windows\system32\DRIVERS\sscdmdfl.sys [2005-08-17 8272]
S3 sscdmdm;SAMSUNG CDMA Modem Drivers; C:\Windows\system32\DRIVERS\sscdmdm.sys [2005-08-17 93872]
S3 sscdserd;SAMSUNG CDMA Modem Diagnostic Serial Port (WDM); C:\Windows\system32\DRIVERS\sscdserd.sys [2005-08-17 73696]
S3 UMPass;Microsoft UMPass Driver; C:\Windows\system32\DRIVERS\umpass.sys [2006-11-02 7168]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2006-11-02 39936]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2006-11-02 82560]
S3 xusb21;Xbox 360 Wireless Receiver Driver Service 21; C:\Windows\system32\DRIVERS\xusb21.sys [2007-02-26 61984]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AcrSch2Svc;Acronis Scheduler2 Service; C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe [2007-08-08 410904]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-08-28 144672]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 BthServ;@%SystemRoot%\System32\bthserv.dll,-101; C:\Windows\system32\svchost.exe [2006-11-02 22016]
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\Windows\system32\CTsvcCDA.exe [1999-12-13 44032]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-11-19 1184912]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2009-07-09 865832]
R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2009-07-07 2482848]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2009-07-08 359952]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2009-09-16 144704]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2009-10-27 895696]
R2 MSK80Service;McAfee Anti-Spam Service; C:\Program Files\McAfee\MSK\MskSrver.exe [2009-07-08 26640]
R2 nmservice;Pure Networks Platform Service; C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe [2008-01-08 451896]
R2 Seagate Sync Service;Seagate Sync Service; C:\Program Files\Seagate\Sync\SeaSyncServices.exe [2007-01-18 24120]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter); C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2008-08-13 201968]
R2 STacSV;SigmaTel Audio Service; C:\Windows\system32\STacSV.exe [2007-06-25 94208]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2006-08-04 386560]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-09-21 545568]
R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2009-09-16 606736]
S2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe []
S2 RoxLiveShare10;LiveShare P2P Server 10; C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe []
S3 ADVService;Amazon Unbox Video Service; C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe [2007-07-11 25640]
S3 DSBrokerService;DSBrokerService; C:\Program Files\DellSupport\brkrsvc.exe [2007-03-19 70656]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2009-09-16 365072]
S3 nmraapache;Pure Networks Net2Go Service; C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe [2008-01-18 12800]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe []

-----------------EOF-----------------

Attached Files

  • Attached File  info.txt   30.29KB   4 downloads


#5 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:09:23 AM

Posted 28 November 2009 - 11:43 AM

Hello, Amanda78.
More than happy to help out :(. Thanks for letting me know that you'll be delayed in responding too.

Also, in the future, please make sure that you copy and paste all logs into your repy (even the longer ones) unless the instructions say otherwise. It makes it a bit easier for me to read :(

Let's begin:
We need to run a GMER scan
  • Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
In your next reply, please include the following:
  • gmer.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#6 Amanda78

Amanda78
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 28 November 2009 - 05:28 PM

Hello aommaster,

GMER log is below...

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-28 17:24:03
Windows 6.0.6000
Running: dbjcwbz7.exe; Driver: C:\Users\Amanda\AppData\Local\Temp\pxtdapob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8F33579E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8F335738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8F33574C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8F3357DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8F33581F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8F335710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8F335724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8F3357B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x8F335847]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8F335833]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8F33578A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8F335776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8F33580B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8F3357F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8F3357C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8F335762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 824B5AC6 5 Bytes JMP 8F3357CC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 8253870A 5 Bytes JMP 8F335823 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 82539BA2 5 Bytes JMP 8F335837 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8253BD3E 5 Bytes JMP 8F33584B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8258EC4E 5 Bytes JMP 8F3357A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 825D01E6 7 Bytes JMP 8F3357E0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 825E0BD0 5 Bytes JMP 8F3357F6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 825E8753 7 Bytes JMP 8F3357B6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 8261244A 5 Bytes JMP 8F33573C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 82612495 7 Bytes JMP 8F335750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 826138F5 5 Bytes JMP 8F335714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 82613C57 5 Bytes JMP 8F335728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 82615D0D 5 Bytes JMP 8F33577A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 8261ACF3 5 Bytes JMP 8F33578E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 8261B0EB 5 Bytes JMP 8F33580F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateUserProcess 82622617 5 Bytes JMP 8F335766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.rsrc C:\Windows\system32\drivers\iastor.sys entry point in ".rsrc" section [0x806FE02C]
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8C2B9360, 0x35B8D2, 0xE8000020]
.text C:\Windows\system32\drivers\hardlock.sys section is writeable [0xA5638400, 0x87EE2, 0xE8000020]
.protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xA56DC620] C:\Windows\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xA56DC620]
.protect˙˙˙˙hardlockunknown last code section [0xA56DC400, 0x5126, 0xE0000020] C:\Windows\system32\drivers\hardlock.sys unknown last code section [0xA56DC400, 0x5126, 0xE0000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\services.exe[708] kernel32.dll!VirtualProtect 776018BF 5 Bytes JMP 00E60F70
.text C:\Windows\system32\services.exe[708] kernel32.dll!GetStartupInfoW 7760191A 5 Bytes JMP 00E60F4E
.text C:\Windows\system32\services.exe[708] kernel32.dll!GetStartupInfoA 776019B8 5 Bytes JMP 00E6008A
.text C:\Windows\system32\services.exe[708] kernel32.dll!CreateProcessW 77601D27 5 Bytes JMP 00E600DB
.text C:\Windows\system32\services.exe[708] kernel32.dll!CreateProcessA 77601D5C 5 Bytes JMP 00E600C0
.text C:\Windows\system32\services.exe[708] kernel32.dll!CreateNamedPipeA 77602484 5 Bytes JMP 00E60FD4
.text C:\Windows\system32\services.exe[708] kernel32.dll!WinExec 776032DF 5 Bytes JMP 00E600AF
.text C:\Windows\system32\services.exe[708] kernel32.dll!CreateNamedPipeW 7760EDFE 5 Bytes JMP 00E60FC3
.text C:\Windows\system32\services.exe[708] kernel32.dll!CreatePipe 7761B0AF 5 Bytes JMP 00E6006F
.text C:\Windows\system32\services.exe[708] kernel32.dll!VirtualProtectEx 776260AB 5 Bytes JMP 00E60F5F
.text C:\Windows\system32\services.exe[708] kernel32.dll!LoadLibraryExW 776295A7 5 Bytes JMP 00E60F81
.text C:\Windows\system32\services.exe[708] kernel32.dll!LoadLibraryW 7762971F 5 Bytes JMP 00E60040
.text C:\Windows\system32\services.exe[708] kernel32.dll!LoadLibraryExA 77629A6E 5 Bytes JMP 00E60F9E
.text C:\Windows\system32\services.exe[708] kernel32.dll!LoadLibraryA 77629A96 5 Bytes JMP 00E6002F
.text C:\Windows\system32\services.exe[708] kernel32.dll!GetProcAddress 77644110 5 Bytes JMP 00E60F29
.text C:\Windows\system32\services.exe[708] kernel32.dll!CreateFileW 7764866C 5 Bytes JMP 00E60FE5
.text C:\Windows\system32\services.exe[708] kernel32.dll!CreateFileA 77648CA4 5 Bytes JMP 00E60000
.text C:\Windows\system32\services.exe[708] ADVAPI32.dll!RegCreateKeyW 776F8229 5 Bytes JMP 00E7004C
.text C:\Windows\system32\services.exe[708] ADVAPI32.dll!RegCreateKeyExA 77703941 5 Bytes JMP 00E7005D
.text C:\Windows\system32\services.exe[708] ADVAPI32.dll!RegCreateKeyA 77703B9F 5 Bytes JMP 00E7003B
.text C:\Windows\system32\services.exe[708] ADVAPI32.dll!RegCreateKeyExW 777104A2 5 Bytes JMP 00E70F9A
.text C:\Windows\system32\services.exe[708] ADVAPI32.dll!RegOpenKeyExA 77710DDF 5 Bytes JMP 00E70FDE
.text C:\Windows\system32\services.exe[708] ADVAPI32.dll!RegOpenKeyW 77717B8D 5 Bytes JMP 00E7000A
.text C:\Windows\system32\services.exe[708] ADVAPI32.dll!RegOpenKeyA 7771EAEA 5 Bytes JMP 00E70FEF
.text C:\Windows\system32\services.exe[708] ADVAPI32.dll!RegOpenKeyExW 77725ECD 5 Bytes JMP 00E70FCD
.text C:\Windows\system32\services.exe[708] msvcrt.dll!_open 7729A890 5 Bytes JMP 00DC0000
.text C:\Windows\system32\services.exe[708] msvcrt.dll!_wsystem 772CAA4F 5 Bytes JMP 00DC0FB7
.text C:\Windows\system32\services.exe[708] msvcrt.dll!system 772CAB6B 5 Bytes JMP 00DC0038
.text C:\Windows\system32\services.exe[708] msvcrt.dll!_creat 772CE711 5 Bytes JMP 00DC001D
.text C:\Windows\system32\services.exe[708] msvcrt.dll!_wcreat 772CF9C6 5 Bytes JMP 00DC0FC8
.text C:\Windows\system32\services.exe[708] msvcrt.dll!_wopen 772CFBA1 5 Bytes JMP 00DC0FEF
.text C:\Windows\system32\services.exe[708] WININET.dll!InternetOpenA 773BC879 5 Bytes JMP 00DD0FE5
.text C:\Windows\system32\services.exe[708] WININET.dll!InternetOpenW 773BCEA9 5 Bytes JMP 00DD000A
.text C:\Windows\system32\services.exe[708] WININET.dll!InternetOpenUrlA 773C0BD2 5 Bytes JMP 00DD0FD4
.text C:\Windows\system32\services.exe[708] WININET.dll!InternetOpenUrlW 7740B079 5 Bytes JMP 00DD002F
.text C:\Windows\system32\services.exe[708] WS2_32.dll!socket 77E94358 5 Bytes JMP 00F0000A
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!VirtualProtect 776018BF 5 Bytes JMP 00120FA5
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!GetStartupInfoW 7760191A 5 Bytes JMP 00120F68
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!GetStartupInfoA 776019B8 5 Bytes JMP 001200A4
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!CreateProcessW 77601D27 1 Byte [E9]
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!CreateProcessW 77601D27 5 Bytes JMP 00120F2B
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!CreateProcessA 77601D5C 5 Bytes JMP 00120F46
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!CreateNamedPipeA 77602484 5 Bytes JMP 00120FD1
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!WinExec 776032DF 5 Bytes JMP 00120F57
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!CreateNamedPipeW 7760EDFE 5 Bytes JMP 00120FC0
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!CreatePipe 7761B0AF 5 Bytes JMP 00120F79
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!VirtualProtectEx 776260AB 5 Bytes JMP 00120F8A
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!LoadLibraryExW 776295A7 5 Bytes JMP 00120073
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!LoadLibraryW 7762971F 5 Bytes JMP 00120051
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!LoadLibraryExA 77629A6E 5 Bytes JMP 00120062
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!LoadLibraryA 77629A96 5 Bytes JMP 0012002C
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!GetProcAddress 77644110 5 Bytes JMP 001200D3
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!CreateFileW 7764866C 5 Bytes JMP 00120011
.text C:\Windows\system32\lsass.exe[720] kernel32.dll!CreateFileA 77648CA4 5 Bytes JMP 00120000
.text C:\Windows\system32\lsass.exe[720] ADVAPI32.dll!RegCreateKeyW 776F8229 5 Bytes JMP 00A70FC3
.text C:\Windows\system32\lsass.exe[720] ADVAPI32.dll!RegCreateKeyExA 77703941 5 Bytes JMP 00A70FB2
.text C:\Windows\system32\lsass.exe[720] ADVAPI32.dll!RegCreateKeyA 77703B9F 5 Bytes JMP 00A7004E
.text C:\Windows\system32\lsass.exe[720] ADVAPI32.dll!RegCreateKeyExW 777104A2 5 Bytes JMP 00A70075
.text C:\Windows\system32\lsass.exe[720] ADVAPI32.dll!RegOpenKeyExA 77710DDF 5 Bytes JMP 00A70FD4
.text C:\Windows\system32\lsass.exe[720] ADVAPI32.dll!RegOpenKeyW 77717B8D 5 Bytes JMP 00A7000A
.text C:\Windows\system32\lsass.exe[720] ADVAPI32.dll!RegOpenKeyA 7771EAEA 5 Bytes JMP 00A70FEF
.text C:\Windows\system32\lsass.exe[720] ADVAPI32.dll!RegOpenKeyExW 77725ECD 5 Bytes JMP 00A70027
.text C:\Windows\system32\lsass.exe[720] msvcrt.dll!_open 7729A890 5 Bytes JMP 00100FEF
.text C:\Windows\system32\lsass.exe[720] msvcrt.dll!_wsystem 772CAA4F 2 Bytes JMP 0010002E
.text C:\Windows\system32\lsass.exe[720] msvcrt.dll!_wsystem + 3 772CAA52 2 Bytes [E3, 88] {JECXZ 0xffffffffffffff8a}
.text C:\Windows\system32\lsass.exe[720] msvcrt.dll!system 772CAB6B 5 Bytes JMP 00100FA3
.text C:\Windows\system32\lsass.exe[720] msvcrt.dll!_creat 772CE711 5 Bytes JMP 0010001D
.text C:\Windows\system32\lsass.exe[720] msvcrt.dll!_wcreat 772CF9C6 5 Bytes JMP 00100FC8
.text C:\Windows\system32\lsass.exe[720] msvcrt.dll!_wopen 772CFBA1 5 Bytes JMP 0010000C
.text C:\Windows\system32\lsass.exe[720] WS2_32.dll!socket 77E94358 5 Bytes JMP 00A80FE5
.text C:\Windows\system32\lsass.exe[720] WININET.dll!InternetOpenA 773BC879 5 Bytes JMP 00110FE5
.text C:\Windows\system32\lsass.exe[720] WININET.dll!InternetOpenW 773BCEA9 5 Bytes JMP 00110000
.text C:\Windows\system32\lsass.exe[720] WININET.dll!InternetOpenUrlA 773C0BD2 5 Bytes JMP 00110025
.text C:\Windows\system32\lsass.exe[720] WININET.dll!InternetOpenUrlW 7740B079 5 Bytes JMP 00110FD4
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!VirtualProtect 776018BF 5 Bytes JMP 00910F5E
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!GetStartupInfoW 7760191A 5 Bytes JMP 00910089
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!GetStartupInfoA 776019B8 5 Bytes JMP 0091006E
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!CreateProcessW 77601D27 5 Bytes JMP 00910EFC
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!CreateProcessA 77601D5C 5 Bytes JMP 00910F0D
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!CreateNamedPipeA 77602484 5 Bytes JMP 00910FCA
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!WinExec 776032DF 5 Bytes JMP 00910F28
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!CreateNamedPipeW 7760EDFE 5 Bytes JMP 00910FAF
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!CreatePipe 7761B0AF 5 Bytes JMP 0091005D
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!VirtualProtectEx 776260AB 5 Bytes JMP 00910F4D
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!LoadLibraryExW 776295A7 5 Bytes JMP 00910F6F
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!LoadLibraryW 7762971F 5 Bytes JMP 0091001B
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!LoadLibraryExA 77629A6E 5 Bytes JMP 0091002C
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!LoadLibraryA 77629A96 5 Bytes JMP 00910F9E
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!GetProcAddress 77644110 5 Bytes JMP 009100A4
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!CreateFileW 7764866C 5 Bytes JMP 00910000
.text C:\Windows\System32\svchost.exe[932] kernel32.dll!CreateFileA 77648CA4 5 Bytes JMP 00910FEF
.text C:\Windows\System32\svchost.exe[932] msvcrt.dll!_open 7729A890 5 Bytes JMP 008F000C
.text C:\Windows\System32\svchost.exe[932] msvcrt.dll!_wsystem 772CAA4F 2 Bytes JMP 008F0042
.text C:\Windows\System32\svchost.exe[932] msvcrt.dll!_wsystem + 3 772CAA52 2 Bytes [62, 89]
.text C:\Windows\System32\svchost.exe[932] msvcrt.dll!system 772CAB6B 5 Bytes JMP 008F0031
.text C:\Windows\System32\svchost.exe[932] msvcrt.dll!_creat 772CE711 5 Bytes JMP 008F0FD2
.text C:\Windows\System32\svchost.exe[932] msvcrt.dll!_wcreat 772CF9C6 5 Bytes JMP 008F0FC1
.text C:\Windows\System32\svchost.exe[932] msvcrt.dll!_wopen 772CFBA1 5 Bytes JMP 008F0FE3
.text C:\Windows\System32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyW 776F8229 5 Bytes JMP 00CC0027
.text C:\Windows\System32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyExA 77703941 5 Bytes JMP 00CC0038
.text C:\Windows\System32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyA 77703B9F 5 Bytes JMP 00CC0FA6
.text C:\Windows\System32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyExW 777104A2 5 Bytes JMP 00CC0055
.text C:\Windows\System32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyExA 77710DDF 5 Bytes JMP 00CC000A
.text C:\Windows\System32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyW 77717B8D 5 Bytes JMP 00CC0FDE
.text C:\Windows\System32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyA 7771EAEA 5 Bytes JMP 00CC0FEF
.text C:\Windows\System32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyExW 77725ECD 5 Bytes JMP 00CC0FC3
.text C:\Windows\System32\svchost.exe[932] WININET.dll!InternetOpenA 773BC879 5 Bytes JMP 00900000
.text C:\Windows\System32\svchost.exe[932] WININET.dll!InternetOpenW 773BCEA9 5 Bytes JMP 0090001B
.text C:\Windows\System32\svchost.exe[932] WININET.dll!InternetOpenUrlA 773C0BD2 5 Bytes JMP 00900FE5
.text C:\Windows\System32\svchost.exe[932] WININET.dll!InternetOpenUrlW 7740B079 5 Bytes JMP 00900036
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!VirtualProtect 776018BF 5 Bytes JMP 00AA0F79
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!GetStartupInfoW 7760191A 5 Bytes JMP 00AA00AB
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!GetStartupInfoA 776019B8 5 Bytes JMP 00AA009A
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!CreateProcessW 77601D27 5 Bytes JMP 00AA0F39
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!CreateProcessA 77601D5C 5 Bytes JMP 00AA0F4A
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!CreateNamedPipeA 77602484 5 Bytes JMP 00AA0011
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!WinExec 776032DF 5 Bytes JMP 00AA00C6
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!CreateNamedPipeW 7760EDFE 5 Bytes JMP 00AA0FB6
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!CreatePipe 7761B0AF 5 Bytes JMP 00AA007F
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!VirtualProtectEx 776260AB 5 Bytes JMP 00AA006E
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!LoadLibraryExW 776295A7 5 Bytes JMP 00AA0F8A
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!LoadLibraryW 7762971F 5 Bytes JMP 00AA0033
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!LoadLibraryExA 77629A6E 5 Bytes JMP 00AA0F9B
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!LoadLibraryA 77629A96 5 Bytes JMP 00AA0022
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!GetProcAddress 77644110 5 Bytes JMP 00AA00EB
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!CreateFileW 7764866C 5 Bytes JMP 00AA0FE5
.text C:\Windows\system32\svchost.exe[936] kernel32.dll!CreateFileA 77648CA4 5 Bytes JMP 00AA0000
.text C:\Windows\system32\svchost.exe[936] msvcrt.dll!_open 7729A890 5 Bytes JMP 00A80FEF
.text C:\Windows\system32\svchost.exe[936] msvcrt.dll!_wsystem 772CAA4F 5 Bytes JMP 00A80062
.text C:\Windows\system32\svchost.exe[936] msvcrt.dll!system 772CAB6B 5 Bytes JMP 00A80047
.text C:\Windows\system32\svchost.exe[936] msvcrt.dll!_creat 772CE711 5 Bytes JMP 00A8001B
.text C:\Windows\system32\svchost.exe[936] msvcrt.dll!_wcreat 772CF9C6 5 Bytes JMP 00A80036
.text C:\Windows\system32\svchost.exe[936] msvcrt.dll!_wopen 772CFBA1 5 Bytes JMP 00A80000
.text C:\Windows\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyW 776F8229 5 Bytes JMP 00AB006E
.text C:\Windows\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyExA 77703941 5 Bytes JMP 00AB0089
.text C:\Windows\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyA 77703B9F 5 Bytes JMP 00AB0053
.text C:\Windows\system32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyExW 777104A2 5 Bytes JMP 00AB00A6
.text C:\Windows\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyExA 77710DDF 5 Bytes JMP 00AB0031
.text C:\Windows\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyW 77717B8D 5 Bytes JMP 00AB0FEF
.text C:\Windows\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyA 7771EAEA 5 Bytes JMP 00AB0000
.text C:\Windows\system32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyExW 77725ECD 5 Bytes JMP 00AB0042
.text C:\Windows\system32\svchost.exe[936] WININET.dll!InternetOpenA 773BC879 5 Bytes JMP 00A90FE5
.text C:\Windows\system32\svchost.exe[936] WININET.dll!InternetOpenW 773BCEA9 5 Bytes JMP 00A9000A
.text C:\Windows\system32\svchost.exe[936] WININET.dll!InternetOpenUrlA 773C0BD2 5 Bytes JMP 00A90FCA
.text C:\Windows\system32\svchost.exe[936] WININET.dll!InternetOpenUrlW 7740B079 5 Bytes JMP 00A9001B
.text C:\Windows\system32\svchost.exe[936] WS2_32.dll!socket 77E94358 5 Bytes JMP 00AC0FEF
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!VirtualProtect 776018BF 5 Bytes JMP 00DF0067
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!GetStartupInfoW 7760191A 5 Bytes JMP 00DF0F3C
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!GetStartupInfoA 776019B8 5 Bytes JMP 00DF0F4D
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!CreateProcessW 77601D27 5 Bytes JMP 00DF0F06
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!CreateProcessA 77601D5C 5 Bytes JMP 00DF009D
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!CreateNamedPipeA 77602484 5 Bytes JMP 00DF0FC3
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!WinExec 776032DF 5 Bytes JMP 00DF0F2B
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!CreateNamedPipeW 7760EDFE 5 Bytes JMP 00DF0014
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!CreatePipe 7761B0AF 5 Bytes JMP 00DF0082
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!VirtualProtectEx 776260AB 5 Bytes JMP 00DF0F72
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!LoadLibraryExW 776295A7 5 Bytes JMP 00DF0F83
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!LoadLibraryW 7762971F 5 Bytes JMP 00DF002F
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!LoadLibraryExA 77629A6E 5 Bytes JMP 00DF0040
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!LoadLibraryA 77629A96 5 Bytes JMP 00DF0FA8
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!GetProcAddress 77644110 5 Bytes JMP 00DF00C2
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!CreateFileW 7764866C 5 Bytes JMP 00DF0FD4
.text C:\Windows\system32\svchost.exe[1004] kernel32.dll!CreateFileA 77648CA4 5 Bytes JMP 00DF0FEF
.text C:\Windows\system32\svchost.exe[1004] msvcrt.dll!_open 7729A890 5 Bytes JMP 009C0000
.text C:\Windows\system32\svchost.exe[1004] msvcrt.dll!_wsystem 772CAA4F 2 Bytes JMP 009C002C
.text C:\Windows\system32\svchost.exe[1004] msvcrt.dll!_wsystem + 3 772CAA52 2 Bytes [6F, 89]
.text C:\Windows\system32\svchost.exe[1004] msvcrt.dll!system 772CAB6B 5 Bytes JMP 009C001B
.text C:\Windows\system32\svchost.exe[1004] msvcrt.dll!_creat 772CE711 5 Bytes JMP 009C0FC6
.text C:\Windows\system32\svchost.exe[1004] msvcrt.dll!_wcreat 772CF9C6 5 Bytes JMP 009C0FAB
.text C:\Windows\system32\svchost.exe[1004] msvcrt.dll!_wopen 772CFBA1 5 Bytes JMP 009C0FD7
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyW 776F8229 5 Bytes JMP 00E40047
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyExA 77703941 5 Bytes JMP 00E40FA1
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyA 77703B9F 5 Bytes JMP 00E40036
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyExW 777104A2 5 Bytes JMP 00E40070
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyExA 77710DDF 5 Bytes JMP 00E4000A
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyW 77717B8D 5 Bytes JMP 00E40FD4
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyA 7771EAEA 5 Bytes JMP 00E40FEF
.text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyExW 77725ECD 5 Bytes JMP 00E4001B
.text C:\Windows\system32\svchost.exe[1004] WININET.dll!InternetOpenA 773BC879 5 Bytes JMP 00DE0FEF
.text C:\Windows\system32\svchost.exe[1004] WININET.dll!InternetOpenW 773BCEA9 5 Bytes JMP 00DE0FD4
.text C:\Windows\system32\svchost.exe[1004] WININET.dll!InternetOpenUrlA 773C0BD2 5 Bytes JMP 00DE0014
.text C:\Windows\system32\svchost.exe[1004] WININET.dll!InternetOpenUrlW 7740B079 5 Bytes JMP 00DE0025
.text C:\Windows\system32\svchost.exe[1004] WS2_32.dll!socket 77E94358 5 Bytes JMP 00E50FEF
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!VirtualProtect 776018BF 5 Bytes JMP 011E0082
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!GetStartupInfoW 7760191A 5 Bytes JMP 011E0F50
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!GetStartupInfoA 776019B8 5 Bytes JMP 011E0F6B
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!CreateProcessW 77601D27 5 Bytes JMP 011E00BB
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!CreateProcessA 77601D5C 5 Bytes JMP 011E0F24
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!CreateNamedPipeA 77602484 5 Bytes JMP 011E0FE5
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!WinExec 776032DF 5 Bytes JMP 011E0F3F
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!CreateNamedPipeW 7760EDFE 5 Bytes JMP 011E0036
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!CreatePipe 7761B0AF 5 Bytes JMP 011E0F86
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!VirtualProtectEx 776260AB 5 Bytes JMP 011E0F97
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!LoadLibraryExW 776295A7 5 Bytes JMP 011E0071
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!LoadLibraryW 7762971F 5 Bytes JMP 011E0FB9
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!LoadLibraryExA 77629A6E 5 Bytes JMP 011E0FA8
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!LoadLibraryA 77629A96 5 Bytes JMP 011E0FCA
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!GetProcAddress 77644110 5 Bytes JMP 011E00CC
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!CreateFileW 7764866C 5 Bytes JMP 011E001B
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!CreateFileA 77648CA4 5 Bytes JMP 011E0000
.text C:\Windows\System32\svchost.exe[1036] msvcrt.dll!_open 7729A890 5 Bytes JMP 01100FEF
.text C:\Windows\System32\svchost.exe[1036] msvcrt.dll!_wsystem 772CAA4F 5 Bytes JMP 0110005F
.text C:\Windows\System32\svchost.exe[1036] msvcrt.dll!system 772CAB6B 5 Bytes JMP 01100044
.text C:\Windows\System32\svchost.exe[1036] msvcrt.dll!_creat 772CE711 5 Bytes JMP 01100FDE
.text C:\Windows\System32\svchost.exe[1036] msvcrt.dll!_wcreat 772CF9C6 5 Bytes JMP 01100033
.text C:\Windows\System32\svchost.exe[1036] msvcrt.dll!_wopen 772CFBA1 5 Bytes JMP 01100018
.text C:\Windows\System32\svchost.exe[1036] ADVAPI32.dll!RegCreateKeyW 776F8229 5 Bytes JMP 011F0F95
.text C:\Windows\System32\svchost.exe[1036] ADVAPI32.dll!RegCreateKeyExA 77703941 5 Bytes JMP 011F0F7A
.text C:\Windows\System32\svchost.exe[1036] ADVAPI32.dll!RegCreateKeyA 77703B9F 5 Bytes JMP 011F0FA6
.text C:\Windows\System32\svchost.exe[1036] ADVAPI32.dll!RegCreateKeyExW 777104A2 5 Bytes JMP 011F003D
.text C:\Windows\System32\svchost.exe[1036] ADVAPI32.dll!RegOpenKeyExA 77710DDF 5 Bytes JMP 011F0FD4
.text C:\Windows\System32\svchost.exe[1036] ADVAPI32.dll!RegOpenKeyW 77717B8D 5 Bytes JMP 011F0000
.text C:\Windows\System32\svchost.exe[1036] ADVAPI32.dll!RegOpenKeyA 7771EAEA 5 Bytes JMP 011F0FE5
.text C:\Windows\System32\svchost.exe[1036] ADVAPI32.dll!RegOpenKeyExW 77725ECD 5 Bytes JMP 011F0FB7
.text C:\Windows\System32\svchost.exe[1036] WININET.dll!InternetOpenA 773BC879 5 Bytes JMP 011D0FE5
.text C:\Windows\System32\svchost.exe[1036] WININET.dll!InternetOpenW 773BCEA9 5 Bytes JMP 011D0FD4
.text C:\Windows\System32\svchost.exe[1036] WININET.dll!InternetOpenUrlA 773C0BD2 5 Bytes JMP 011D0000
.text C:\Windows\System32\svchost.exe[1036] WININET.dll!InternetOpenUrlW 7740B079 5 Bytes JMP 011D0011
.text C:\Windows\System32\svchost.exe[1036] WS2_32.dll!socket 77E94358 5 Bytes JMP 01240000
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!VirtualProtect 776018BF 5 Bytes JMP 0104006E
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!GetStartupInfoW 7760191A 5 Bytes JMP 010400C6
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!GetStartupInfoA 776019B8 5 Bytes JMP 010400B5
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreateProcessW 77601D27 5 Bytes JMP 01040F5B
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreateProcessA 77601D5C 5 Bytes JMP 010400F2
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreateNamedPipeA 77602484 5 Bytes JMP 01040FC3
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!WinExec 776032DF 5 Bytes JMP 010400D7
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreateNamedPipeW 7760EDFE 5 Bytes JMP 01040014
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreatePipe 7761B0AF 5 Bytes JMP 010400A4
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!VirtualProtectEx 776260AB 5 Bytes JMP 01040089
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!LoadLibraryExW 776295A7 5 Bytes JMP 0104005D
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!LoadLibraryW 7762971F 5 Bytes JMP 0104002F
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!LoadLibraryExA 77629A6E 5 Bytes JMP 01040040
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!LoadLibraryA 77629A96 5 Bytes JMP 01040FA8
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!GetProcAddress 77644110 5 Bytes JMP 01040F4A
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreateFileW 7764866C 5 Bytes JMP 01040FD4
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreateFileA 77648CA4 5 Bytes JMP 01040FE5
.text C:\Windows\System32\svchost.exe[1148] msvcrt.dll!_open 7729A890 5 Bytes JMP 00D60FE3
.text C:\Windows\System32\svchost.exe[1148] msvcrt.dll!_wsystem 772CAA4F 5 Bytes JMP 00D60F6B
.text C:\Windows\System32\svchost.exe[1148] msvcrt.dll!system 772CAB6B 5 Bytes JMP 00D60000
.text C:\Windows\System32\svchost.exe[1148] msvcrt.dll!_creat 772CE711 5 Bytes JMP 00D60FAB
.text C:\Windows\System32\svchost.exe[1148] msvcrt.dll!_wcreat 772CF9C6 5 Bytes JMP 00D60F9A
.text C:\Windows\System32\svchost.exe[1148] msvcrt.dll!_wopen 772CFBA1 5 Bytes JMP 00D60FD2
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyW 776F8229 5 Bytes JMP 01220FBC
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExA 77703941 5 Bytes JMP 01220FA1
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyA 77703B9F 5 Bytes JMP 0122003D
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExW 777104A2 5 Bytes JMP 01220064
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExA 77710DDF 5 Bytes JMP 01220FCD
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyW 77717B8D 5 Bytes JMP 01220FDE
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyA 7771EAEA 5 Bytes JMP 01220FEF
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExW 77725ECD 5 Bytes JMP 0122002C
.text C:\Windows\System32\svchost.exe[1148] WININET.dll!InternetOpenA 773BC879 5 Bytes JMP 00FE0000
.text C:\Windows\System32\svchost.exe[1148] WININET.dll!InternetOpenW 773BCEA9 5 Bytes JMP 00FE0FE5
.text C:\Windows\System32\svchost.exe[1148] WININET.dll!InternetOpenUrlA 773C0BD2 5 Bytes JMP 00FE001B
.text C:\Windows\System32\svchost.exe[1148] WININET.dll!InternetOpenUrlW 7740B079 5 Bytes JMP 00FE0036
.text C:\Windows\System32\svchost.exe[1148] WS2_32.dll!socket 77E94358 5 Bytes JMP 01230FEF
.text C:\Windows\system32\svchost.exe[1188] kernel32.dll!VirtualProtect 776018BF 5 Bytes JMP 00CD0F95
.text C:\Windows\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoW 7760191A 5 Bytes JMP 00CD00AF
.text C:\Windows\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoA 776019B8 5 Bytes JMP 00CD009E
.text C:\Windows\system32\svchost.exe[1188] kernel32.dll!CreateProcessW 77601D27 5 Bytes JMP 00CD0F4E
.text C:\Windows\system32\svchost.exe[1188] kernel32.dll!CreateProcessA 77601D5C 5 Bytes JMP 00CD00E5
.text C:\Windows\system32\svchost.exe[1188] kernel32.dll!CreateNamedPipeA 77602484 5 Bytes JMP 00CD0FCD
.text C:\Windows\system32\svchost.exe[1188] kernel32.dll!WinExec 776032DF 5 Bytes JMP 00CD00D4
.text C:\Windows\system32\svchost.exe[1188] kernel32.dll!CreateNamedPipeW 7760EDFE 5 Bytes JMP 00CD0FB2
.text C:\Windows\system32\svchost.exe[1188] kernel32.dll!CreatePipe 7761B0AF 5 Bytes JMP 00CD0F69
.text C:\Windows\system32\svchost.exe[1188] kernel32.dll!VirtualProtectEx 776260AB 5 Bytes JMP 00CD0F7A
.text C:\Windows\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExW 776295A7 5 Bytes JMP 00CD006F
.text C:\Windows\system32\svchost.exe[1188] kernel32.dll!LoadLibraryW 7762971F 5 Bytes JMP 00CD0039
.text C:\Windows\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExA 77629A6E 5 Bytes JMP 00CD0054
.text C:\Windows\system32\svchost.exe[1188] kernel32.dll!LoadLibraryA 77629A96 5 Bytes JMP 00CD0028
.text C:\Windows\system32\svchost.exe[1188] kernel32.dll!GetProcAddress 77644110 5 Bytes JMP 00CD00F6
.text C:\Windows\system32\svchost.exe[1188] kernel32.dll!CreateFileW 7764866C 5 Bytes JMP 00CD0FDE
.text C:\Windows\system32\svchost.exe[1188] kernel32.dll!CreateFileA 77648CA4 5 Bytes JMP 00CD0FEF
.text C:\Windows\system32\svchost.exe[1188] msvcrt.dll!_open 7729A890 5 Bytes JMP 00920FEF
.text C:\Windows\system32\svchost.exe[1188] msvcrt.dll!_wsystem 772CAA4F 5 Bytes JMP 00920058
.text C:\Windows\system32\svchost.exe[1188] msvcrt.dll!system 772CAB6B 5 Bytes JMP 0092003D
.text C:\Windows\system32\svchost.exe[1188] msvcrt.dll!_creat 772CE711 5 Bytes JMP 00920FCD
.text C:\Windows\system32\svchost.exe[1188] msvcrt.dll!_wcreat 772CF9C6 5 Bytes JMP 00920022
.text C:\Windows\system32\svchost.exe[1188] msvcrt.dll!_wopen 772CFBA1 5 Bytes JMP 00920FDE
.text C:\Windows\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyW 776F8229 5 Bytes JMP 00D20F90
.text C:\Windows\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExA 77703941 5 Bytes JMP 00D20F73
.text C:\Windows\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyA 77703B9F 5 Bytes JMP 00D2001B
.text C:\Windows\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExW 777104A2 5 Bytes JMP 00D20F62
.text C:\Windows\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExA 77710DDF 5 Bytes JMP 00D2000A
.text C:\Windows\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyW 77717B8D 5 Bytes JMP 00D20FD4
.text C:\Windows\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyA 7771EAEA 5 Bytes JMP 00D20FE5
.text C:\Windows\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExW 77725ECD 5 Bytes JMP 00D20FAB
.text C:\Windows\system32\svchost.exe[1188] WININET.dll!InternetOpenA 773BC879 5 Bytes JMP 00CC0FEF
.text C:\Windows\system32\svchost.exe[1188] WININET.dll!InternetOpenW 773BCEA9 5 Bytes JMP 00CC000A
.text C:\Windows\system32\svchost.exe[1188] WININET.dll!InternetOpenUrlA 773C0BD2 5 Bytes JMP 00CC0FDE
.text C:\Windows\system32\svchost.exe[1188] WININET.dll!InternetOpenUrlW 7740B079 3 Bytes JMP 00CC002F
.text C:\Windows\system32\svchost.exe[1188] WININET.dll!InternetOpenUrlW + 4 7740B07D 1 Byte [89]
.text C:\Windows\system32\svchost.exe[1188] WS2_32.dll!socket 77E94358 5 Bytes JMP 00E30FE5
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!VirtualProtect 776018BF 5 Bytes JMP 0116005F
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!GetStartupInfoW 7760191A 5 Bytes JMP 01160F34
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!GetStartupInfoA 776019B8 5 Bytes JMP 01160F45
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!CreateProcessW 77601D27 5 Bytes JMP 01160EF4
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!CreateProcessA 77601D5C 5 Bytes JMP 01160F05
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!CreateNamedPipeA 77602484 5 Bytes JMP 01160FD4
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!WinExec 776032DF 5 Bytes JMP 0116008B
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!CreateNamedPipeW 7760EDFE 5 Bytes JMP 01160FB9
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!CreatePipe 7761B0AF 5 Bytes JMP 01160F56
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!VirtualProtectEx 776260AB 5 Bytes JMP 01160070
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!LoadLibraryExW 776295A7 5 Bytes JMP 0116004E
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!LoadLibraryW 7762971F 5 Bytes JMP 0116002C
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!LoadLibraryExA 77629A6E 5 Bytes JMP 0116003D
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!LoadLibraryA 77629A96 5 Bytes JMP 0116001B
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!GetProcAddress 77644110 5 Bytes JMP 011600A6
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!CreateFileW 7764866C 5 Bytes JMP 01160FE5
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!CreateFileA 77648CA4 5 Bytes JMP 01160000
.text C:\Windows\System32\svchost.exe[1212] msvcrt.dll!_open 7729A890 5 Bytes JMP 01140FEF
.text C:\Windows\System32\svchost.exe[1212] msvcrt.dll!_wsystem 772CAA4F 5 Bytes JMP 01140056
.text C:\Windows\System32\svchost.exe[1212] msvcrt.dll!system 772CAB6B 5 Bytes JMP 01140FC1
.text C:\Windows\System32\svchost.exe[1212] msvcrt.dll!_creat 772CE711 5 Bytes JMP 0114000C
.text C:\Windows\System32\svchost.exe[1212] msvcrt.dll!_wcreat 772CF9C6 5 Bytes JMP 01140031
.text C:\Windows\System32\svchost.exe[1212] msvcrt.dll!_wopen 772CFBA1 5 Bytes JMP 01140FD2
.text C:\Windows\System32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyW 776F8229 5 Bytes JMP 011B003D
.text C:\Windows\System32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExA 77703941 5 Bytes JMP 011B0F97
.text C:\Windows\System32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyA 77703B9F 5 Bytes JMP 011B0FBC
.text C:\Windows\System32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExW 777104A2 5 Bytes JMP 011B0F7A
.text C:\Windows\System32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExA 77710DDF 5 Bytes JMP 011B002C
.text C:\Windows\System32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyW 77717B8D 5 Bytes JMP 011B001B
.text C:\Windows\System32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyA 7771EAEA 5 Bytes JMP 011B000A
.text C:\Windows\System32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExW 77725ECD 5 Bytes JMP 011B0FCD
.text C:\Windows\System32\svchost.exe[1212] WININET.dll!InternetOpenA 773BC879 5 Bytes JMP 01150FEF
.text C:\Windows\System32\svchost.exe[1212] WININET.dll!InternetOpenW 773BCEA9 5 Bytes JMP 01150FDE
.text C:\Windows\System32\svchost.exe[1212] WININET.dll!InternetOpenUrlA 773C0BD2 5 Bytes JMP 01150014
.text C:\Windows\System32\svchost.exe[1212] WININET.dll!InternetOpenUrlW 7740B079 5 Bytes JMP 01150FC3
.text C:\Windows\System32\svchost.exe[1212] WS2_32.dll!socket 77E94358 5 Bytes JMP 011C0FE5
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!VirtualProtect 776018BF 5 Bytes JMP 01460F5F
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!GetStartupInfoW 7760191A 5 Bytes JMP 01460065
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!GetStartupInfoA 776019B8 5 Bytes JMP 01460F1F
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateProcessW 77601D27 5 Bytes JMP 01460EDF
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateProcessA 77601D5C 5 Bytes JMP 01460EFA
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateNamedPipeA 77602484 5 Bytes JMP 01460FDE
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!WinExec 776032DF 5 Bytes JMP 01460076
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateNamedPipeW 7760EDFE 5 Bytes JMP 01460FC3
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreatePipe 7761B0AF 5 Bytes JMP 01460054
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!VirtualProtectEx 776260AB 5 Bytes JMP 01460F44
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!LoadLibraryExW 776295A7 5 Bytes JMP 01460F7C
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!LoadLibraryW 7762971F 5 Bytes JMP 0146002F
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!LoadLibraryExA 77629A6E 5 Bytes JMP 01460F8D
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!LoadLibraryA 77629A96 5 Bytes JMP 01460F9E
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!GetProcAddress 77644110 5 Bytes JMP 01460091
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateFileW 7764866C 5 Bytes JMP 01460FEF
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateFileA 77648CA4 5 Bytes JMP 01460000
.text C:\Windows\system32\svchost.exe[1268] msvcrt.dll!_open 7729A890 5 Bytes JMP 013C000C
.text C:\Windows\system32\svchost.exe[1268] msvcrt.dll!_wsystem 772CAA4F 5 Bytes JMP 013C0F95
.text C:\Windows\system32\svchost.exe[1268] msvcrt.dll!system 772CAB6B 5 Bytes JMP 013C0FA6
.text C:\Windows\system32\svchost.exe[1268] msvcrt.dll!_creat 772CE711 5 Bytes JMP 013C0FC8
.text C:\Windows\system32\svchost.exe[1268] msvcrt.dll!_wcreat 772CF9C6 5 Bytes JMP 013C0FB7
.text C:\Windows\system32\svchost.exe[1268] msvcrt.dll!_wopen 772CFBA1 5 Bytes JMP 013C0FE3
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyW 776F8229 5 Bytes JMP 014B0042
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyExA 77703941 5 Bytes JMP 014B005D
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyA 77703B9F 5 Bytes JMP 014B0FB7
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyExW 777104A2 5 Bytes JMP 014B0F9A
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyExA 77710DDF 5 Bytes JMP 014B0FD2
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyW 77717B8D 5 Bytes JMP 014B000A
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyA 7771EAEA 5 Bytes JMP 014B0FEF
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyExW 77725ECD 5 Bytes JMP 014B0031
.text C:\Windows\system32\svchost.exe[1268] WININET.dll!InternetOpenA 773BC879 5 Bytes JMP 01450000
.text C:\Windows\system32\svchost.exe[1268] WININET.dll!InternetOpenW 773BCEA9 5 Bytes JMP 01450FE5
.text C:\Windows\system32\svchost.exe[1268] WININET.dll!InternetOpenUrlA 773C0BD2 5 Bytes JMP 01450FCA
.text C:\Windows\system32\svchost.exe[1268] WININET.dll!InternetOpenUrlW 7740B079 5 Bytes JMP 0145001B
.text C:\Windows\system32\svchost.exe[1268] WS2_32.dll!socket 77E94358 5 Bytes JMP 013B0FEF
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!VirtualProtect 776018BF 5 Bytes JMP 01010F72
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!GetStartupInfoW 7760191A 5 Bytes JMP 01010085
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!GetStartupInfoA 776019B8 5 Bytes JMP 01010F3F
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!CreateProcessW 77601D27 5 Bytes JMP 01010F13
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!CreateProcessA 77601D5C 5 Bytes JMP 01010F24
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!CreateNamedPipeA 77602484 5 Bytes JMP 01010014
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!WinExec 776032DF 5 Bytes JMP 01010096
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!CreateNamedPipeW 7760EDFE 5 Bytes JMP 01010025
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!CreatePipe 7761B0AF 5 Bytes JMP 01010F50
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!VirtualProtectEx 776260AB 5 Bytes JMP 01010F61
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!LoadLibraryExW 776295A7 5 Bytes JMP 01010F83
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!LoadLibraryW 7762971F 5 Bytes JMP 01010036
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!LoadLibraryExA 77629A6E 5 Bytes JMP 01010F9E
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!LoadLibraryA 77629A96 5 Bytes JMP 01010FAF
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!GetProcAddress 77644110 5 Bytes JMP 010100C5
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!CreateFileW 7764866C 5 Bytes JMP 01010FDE
.text C:\Windows\system32\svchost.exe[1452] kernel32.dll!CreateFileA 77648CA4 5 Bytes JMP 01010FEF
.text C:\Windows\system32\svchost.exe[1452] msvcrt.dll!_open 7729A890 5 Bytes JMP 00900000
.text C:\Windows\system32\svchost.exe[1452] msvcrt.dll!_wsystem 772CAA4F 5 Bytes JMP 00900FA8
.text C:\Windows\system32\svchost.exe[1452] msvcrt.dll!system 772CAB6B 5 Bytes JMP 00900FB9
.text C:\Windows\system32\svchost.exe[1452] msvcrt.dll!_creat 772CE711 5 Bytes JMP 00900029
.text C:\Windows\system32\svchost.exe[1452] msvcrt.dll!_wcreat 772CF9C6 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1452] msvcrt.dll!_wcreat 772CF9C6 5 Bytes JMP 00900FCA
.text C:\Windows\system32\svchost.exe[1452] msvcrt.dll!_wopen 772CFBA1 5 Bytes JMP 00900FEF
.text C:\Windows\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyW 776F8229 5 Bytes JMP 01020042
.text C:\Windows\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyExA 77703941 5 Bytes JMP 01020053
.text C:\Windows\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyA 77703B9F 5 Bytes JMP 01020FC1
.text C:\Windows\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyExW 777104A2 5 Bytes JMP 01020F84
.text C:\Windows\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyExA 77710DDF 5 Bytes JMP 01020025
.text C:\Windows\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyW 77717B8D 5 Bytes JMP 01020FEF
.text C:\Windows\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyA 7771EAEA 5 Bytes JMP 01020000
.text C:\Windows\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyExW 77725ECD 5 Bytes JMP 01020FD2
.text C:\Windows\system32\svchost.exe[1452] WININET.dll!InternetOpenA 773BC879 5 Bytes JMP 01000FE5
.text C:\Windows\system32\svchost.exe[1452] WININET.dll!InternetOpenW 773BCEA9 5 Bytes JMP 01000FD4
.text C:\Windows\system32\svchost.exe[1452] WININET.dll!InternetOpenUrlA 773C0BD2 5 Bytes JMP 01000FB9
.text C:\Windows\system32\svchost.exe[1452] WININET.dll!InternetOpenUrlW 7740B079 5 Bytes JMP 01000FA8
.text C:\Windows\system32\svchost.exe[1452] WS2_32.dll!socket 77E94358 5 Bytes JMP 01030000
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!VirtualProtect 776018BF 5 Bytes JMP 00D50F68
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!GetStartupInfoW 7760191A 5 Bytes JMP 00D50F4D
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!GetStartupInfoA 776019B8 5 Bytes JMP 00D50093
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!CreateProcessW 77601D27 5 Bytes JMP 00D500B8
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!CreateProcessA 77601D5C 5 Bytes JMP 00D50F21
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!CreateNamedPipeA 77602484 5 Bytes JMP 00D5001B
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!WinExec 776032DF 5 Bytes JMP 00D50F3C
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!CreateNamedPipeW 7760EDFE 5 Bytes JMP 00D5002C
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!CreatePipe 7761B0AF 5 Bytes JMP 00D50078
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!VirtualProtectEx 776260AB 5 Bytes JMP 00D50067
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!LoadLibraryExW 776295A7 5 Bytes JMP 00D50F83
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!LoadLibraryW 7762971F 5 Bytes JMP 00D50FAF
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!LoadLibraryExA 77629A6E 5 Bytes JMP 00D50F94
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!LoadLibraryA 77629A96 5 Bytes JMP 00D50FC0
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!GetProcAddress 77644110 5 Bytes JMP 00D500C9
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!CreateFileW 7764866C 5 Bytes JMP 00D5000A
.text C:\Windows\system32\svchost.exe[1600] kernel32.dll!CreateFileA 77648CA4 5 Bytes JMP 00D50FEF
.text C:\Windows\system32\svchost.exe[1600] msvcrt.dll!_open 7729A890 5 Bytes JMP 00D30000
.text C:\Windows\system32\svchost.exe[1600] msvcrt.dll!_wsystem 772CAA4F 2 Bytes JMP 00D3003F
.text C:\Windows\system32\svchost.exe[1600] msvcrt.dll!_wsystem + 3 772CAA52 2 Bytes [A6, 89]
.text C:\Windows\system32\svchost.exe[1600] msvcrt.dll!system 772CAB6B 5 Bytes JMP 00D30FB4
.text C:\Windows\system32\svchost.exe[1600] msvcrt.dll!_creat 772CE711 5 Bytes JMP 00D30FD9
.text C:\Windows\system32\svchost.exe[1600] msvcrt.dll!_wcreat 772CF9C6 5 Bytes JMP 00D3002E
.text C:\Windows\system32\svchost.exe[1600] msvcrt.dll!_wopen 772CFBA1 5 Bytes JMP 00D3001D
.text C:\Windows\system32\svchost.exe[1600] ADVAPI32.dll!RegCreateKeyW 776F8229 5 Bytes JMP 00F20053
.text C:\Windows\system32\svchost.exe[1600] ADVAPI32.dll!RegCreateKeyExA 77703941 5 Bytes JMP 00F20FAD
.text C:\Windows\system32\svchost.exe[1600] ADVAPI32.dll!RegCreateKeyA 77703B9F 5 Bytes JMP 00F20038
.text C:\Windows\system32\svchost.exe[1600] ADVAPI32.dll!RegCreateKeyExW 777104A2 5 Bytes JMP 00F20F84
.text C:\Windows\system32\svchost.exe[1600] ADVAPI32.dll!RegOpenKeyExA 77710DDF 5 Bytes JMP 00F20FD4
.text C:\Windows\system32\svchost.exe[1600] ADVAPI32.dll!RegOpenKeyW 77717B8D 5 Bytes JMP 00F20FEF
.text C:\Windows\system32\svchost.exe[1600] ADVAPI32.dll!RegOpenKeyA 7771EAEA 5 Bytes JMP 00F20000
.text C:\Windows\system32\svchost.exe[1600] ADVAPI32.dll!RegOpenKeyExW 77725ECD 5 Bytes JMP 00F20027
.text C:\Windows\system32\svchost.exe[1600] WININET.dll!InternetOpenA 773BC879 5 Bytes JMP 00D40FEF
.text C:\Windows\system32\svchost.exe[1600] WININET.dll!InternetOpenW 773BCEA9 5 Bytes JMP 00D40FD4
.text C:\Windows\system32\svchost.exe[1600] WININET.dll!InternetOpenUrlA 773C0BD2 5 Bytes JMP 00D4000A
.text C:\Windows\system32\svchost.exe[1600] WININET.dll!InternetOpenUrlW 7740B079 5 Bytes JMP 00D4001B
.text C:\Windows\system32\svchost.exe[1600] WS2_32.dll!socket 77E94358 5 Bytes JMP 00F30FEF
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!VirtualProtect 776018BF 5 Bytes JMP 01CC0040
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!GetStartupInfoW 7760191A 5 Bytes JMP 01CC0F30
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!GetStartupInfoA 776019B8 5 Bytes JMP 01CC0076
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!CreateProcessW 77601D27 5 Bytes JMP 01CC0EF3
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!CreateProcessA 77601D5C 5 Bytes JMP 01CC0F04
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!CreateNamedPipeA 77602484 5 Bytes JMP 01CC0000
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!WinExec 776032DF 5 Bytes JMP 01CC0F1F
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!CreateNamedPipeW 7760EDFE 5 Bytes JMP 01CC0FAF
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!CreatePipe 7761B0AF 5 Bytes JMP 01CC0F4B
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!VirtualProtectEx 776260AB 5 Bytes JMP 01CC0051
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!LoadLibraryExW 776295A7 5 Bytes JMP 01CC0F5C
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!LoadLibraryW 7762971F 5 Bytes JMP 01CC0025
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!LoadLibraryExA 77629A6E 5 Bytes JMP 01CC0F79
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!LoadLibraryA 77629A96 5 Bytes JMP 01CC0F9E
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!GetProcAddress 77644110 5 Bytes JMP 01CC0EE2
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!CreateFileW 7764866C 5 Bytes JMP 01CC0FD4
.text C:\Windows\system32\svchost.exe[1868] kernel32.dll!CreateFileA 77648CA4 5 Bytes JMP 01CC0FE5
.text C:\Windows\system32\svchost.exe[1868] msvcrt.dll!_open 7729A890 5 Bytes JMP 01CA0FEF
.text C:\Windows\system32\svchost.exe[1868] msvcrt.dll!_wsystem 772CAA4F 5 Bytes JMP 01CA005A
.text C:\Windows\system32\svchost.exe[1868] msvcrt.dll!system 772CAB6B 5 Bytes JMP 01CA0049
.text C:\Windows\system32\svchost.exe[1868] msvcrt.dll!_creat 772CE711 5 Bytes JMP 01CA001D
.text C:\Windows\system32\svchost.exe[1868] msvcrt.dll!_wcreat 772CF9C6 5 Bytes JMP 01CA0038
.text C:\Windows\system32\svchost.exe[1868] msvcrt.dll!_wopen 772CFBA1 5 Bytes JMP 01CA000C
.text C:\Windows\system32\svchost.exe[1868] ADVAPI32.dll!RegCreateKeyW 776F8229 5 Bytes JMP 01CE0055
.text C:\Windows\system32\svchost.exe[1868] ADVAPI32.dll!RegCreateKeyExA 77703941 5 Bytes JMP 01CE0FB9
.text C:\Windows\system32\svchost.exe[1868] ADVAPI32.dll!RegCreateKeyA 77703B9F 5 Bytes JMP 01CE0FCA
.text C:\Windows\system32\svchost.exe[1868] ADVAPI32.dll!RegCreateKeyExW 777104A2 5 Bytes JMP 01CE0070
.text C:\Windows\system32\svchost.exe[1868] ADVAPI32.dll!RegOpenKeyExA 77710DDF 5 Bytes JMP 01CE001B
.text C:\Windows\system32\svchost.exe[1868] ADVAPI32.dll!RegOpenKeyW 77717B8D 5 Bytes JMP 01CE0000
.text C:\Windows\system32\svchost.exe[1868] ADVAPI32.dll!RegOpenKeyA 7771EAEA 5 Bytes JMP 01CE0FE5
.text C:\Windows\system32\svchost.exe[1868] ADVAPI32.dll!RegOpenKeyExW 77725ECD 5 Bytes JMP 01CE0038
.text C:\Windows\system32\svchost.exe[1868] WININET.dll!InternetOpenA 773BC879 5 Bytes JMP 01CB0FEF
.text C:\Windows\system32\svchost.exe[1868] WININET.dll!InternetOpenW 773BCEA9 5 Bytes JMP 01CB000A
.text C:\Windows\system32\svchost.exe[1868] WININET.dll!InternetOpenUrlA 773C0BD2 5 Bytes JMP 01CB001B
.text C:\Windows\system32\svchost.exe[1868] WININET.dll!InternetOpenUrlW 7740B079 5 Bytes JMP 01CB002C
.text C:\Windows\system32\svchost.exe[1868] WS2_32.dll!socket 77E94358 5 Bytes JMP 01CF0000
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!VirtualProtect 776018BF 5 Bytes JMP 00FA0F70
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!GetStartupInfoW 7760191A 5 Bytes JMP 00FA009E
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!GetStartupInfoA 776019B8 5 Bytes JMP 00FA0079
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!CreateProcessW 77601D27 5 Bytes JMP 00FA00CA
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!CreateProcessA 77601D5C 5 Bytes JMP 00FA0F33
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!CreateNamedPipeA 77602484 5 Bytes JMP 00FA0FE5
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!WinExec 776032DF 5 Bytes JMP 00FA00AF
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!CreateNamedPipeW 7760EDFE 5 Bytes JMP 00FA0FD4
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!CreatePipe 7761B0AF 5 Bytes JMP 00FA0F4E
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!VirtualProtectEx 776260AB 5 Bytes JMP 00FA0F5F
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!LoadLibraryExW 776295A7 5 Bytes JMP 00FA004A
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!LoadLibraryW 7762971F 5 Bytes JMP 00FA0FA8
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!LoadLibraryExA 77629A6E 5 Bytes JMP 00FA0F8D
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!LoadLibraryA 77629A96 5 Bytes JMP 00FA0FC3
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!GetProcAddress 77644110 5 Bytes JMP 00FA00DB
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!CreateFileW 7764866C 5 Bytes JMP 00FA001B
.text C:\Windows\system32\svchost.exe[2148] kernel32.dll!CreateFileA 77648CA4 5 Bytes JMP 00FA0000
.text C:\Windows\system32\svchost.exe[2148] msvcrt.dll!_open 7729A890 5 Bytes JMP 00F80FEF
.text C:\Windows\system32\svchost.exe[2148] msvcrt.dll!_wsystem 772CAA4F 2 Bytes JMP 00F8004C
.text C:\Windows\system32\svchost.exe[2148] msvcrt.dll!_wsystem + 3 772CAA52 2 Bytes [CB, 89]
.text C:\Windows\system32\svchost.exe[2148] msvcrt.dll!system 772CAB6B 5 Bytes JMP 00F8003B
.text C:\Windows\system32\svchost.exe[2148] msvcrt.dll!_creat 772CE711 5 Bytes JMP 00F80FD2
.text C:\Windows\system32\svchost.exe[2148] msvcrt.dll!_wcreat 772CF9C6 5 Bytes JMP 00F80FC1
.text C:\Windows\system32\svchost.exe[2148] msvcrt.dll!_wopen 772CFBA1 5 Bytes JMP 00F8000C
.text C:\Windows\system32\svchost.exe[2148] ADVAPI32.dll!RegCreateKeyW 776F8229 5 Bytes JMP 00FC0038
.text C:\Windows\system32\svchost.exe[2148] ADVAPI32.dll!RegCreateKeyExA 77703941 5 Bytes JMP 00FC0053
.text C:\Windows\system32\svchost.exe[2148] ADVAPI32.dll!RegCreateKeyA 77703B9F 3 Bytes JMP 00FC0FAD
.text C:\Windows\system32\svchost.exe[2148] ADVAPI32.dll!RegCreateKeyA + 4 77703BA3 1 Byte [89]
.text C:\Windows\system32\svchost.exe[2148] ADVAPI32.dll!RegCreateKeyExW 777104A2 5 Bytes JMP 00FC0070
.text C:\Windows\system32\svchost.exe[2148] ADVAPI32.dll!RegOpenKeyExA 77710DDF 5 Bytes JMP 00FC0FE5
.text C:\Windows\system32\svchost.exe[2148] ADVAPI32.dll!RegOpenKeyW 77717B8D 5 Bytes JMP 00FC001B
.text C:\Windows\system32\svchost.exe[2148] ADVAPI32.dll!RegOpenKeyA 7771EAEA 5 Bytes JMP 00FC0000
.text C:\Windows\system32\svchost.exe[2148] ADVAPI32.dll!RegOpenKeyExW 77725ECD 5 Bytes JMP 00FC0FC8
.text C:\Windows\system32\svchost.exe[2148] WININET.dll!InternetOpenA 773BC879 5 Bytes JMP 00F90FEF
.text C:\Windows\system32\svchost.exe[2148] WININET.dll!InternetOpenW 773BCEA9 5 Bytes JMP 00F90FD4
.text C:\Windows\system32\svchost.exe[2148] WININET.dll!InternetOpenUrlA 773C0BD2 5 Bytes JMP 00F90014
.text C:\Windows\system32\svchost.exe[2148] WININET.dll!InternetOpenUrlW 7740B079 5 Bytes JMP 00F90025
.text C:\Windows\system32\svchost.exe[2148] WS2_32.dll!socket 77E94358 5 Bytes JMP 00FD0FEF
.text C:\Windows\system32\svchost.exe[3460] kernel32.dll!VirtualProtect 776018BF 5 Bytes JMP 002D0FA3
.text C:\Windows\system32\svchost.exe[3460] kernel32.dll!GetStartupInfoW 7760191A 5 Bytes JMP 002D0F55
.text C:\Windows\system32\svchost.exe[3460] kernel32.dll!GetStartupInfoA 776019B8 5 Bytes JMP 002D0F70
.text C:\Windows\system32\svchost.exe[3460] kernel32.dll!CreateProcessW 77601D27 5 Bytes JMP 002D00D1
.text C:\Windows\system32\svchost.exe[3460] kernel32.dll!CreateProcessA 77601D5C 5 Bytes JMP 002D0F30
.text C:\Windows\system32\svchost.exe[3460] kernel32.dll!CreateNamedPipeA 77602484 5 Bytes JMP 002D0FE5
.text C:\Windows\system32\svchost.exe[3460] kernel32.dll!WinExec 776032DF 5 Bytes JMP 002D00B6
.text C:\Windows\system32\svchost.exe[3460] kernel32.dll!CreateNamedPipeW 7760EDFE 5 Bytes JMP 002D0036
.text C:\Windows\system32\svchost.exe[3460] kernel32.dll!CreatePipe 7761B0AF 5 Bytes JMP 002D0F81
.text C:\Windows\system32\svchost.exe[3460] kernel32.dll!VirtualProtectEx 776260AB 5 Bytes JMP 002D0F92
.text C:\Windows\system32\svchost.exe[3460] kernel32.dll!LoadLibraryExW 776295A7 5 Bytes JMP 002D0087
.text C:\Windows\system32\svchost.exe[3460] kernel32.dll!LoadLibraryW 7762971F 5 Bytes JMP 002D005B
.text C:\Windows\system32\svchost.exe[3460] kernel32.dll!LoadLibraryExA 77629A6E 5 Bytes JMP 002D0076
.text C:\Windows\system32\svchost.exe[3460] kernel32.dll!LoadLibraryA 77629A96 5 Bytes JMP 002D0FD4
.text C:\Windows\system32\svchost.exe[3460] kernel32.dll!GetProcAddress 77644110 5 Bytes JMP 002D00E2
.text C:\Windows\system32\svchost.exe[3460] kernel32.dll!CreateFileW 7764866C 5 Bytes JMP 002D001B
.text C:\Windows\system32\svchost.exe[3460] kernel32.dll!CreateFileA 77648CA4 5 Bytes JMP 002D0000
.text C:\Windows\system32\svchost.exe[3460] msvcrt.dll!_open 7729A890 5 Bytes JMP 002B000C
.text C:\Windows\system32\svchost.exe[3460] msvcrt.dll!_wsystem 772CAA4F 2 Bytes JMP 002B004E
.text C:\Windows\system32\svchost.exe[3460] msvcrt.dll!_wsystem + 3 772CAA52 2 Bytes [FE, 88]
.text C:\Windows\system32\svchost.exe[3460] msvcrt.dll!system 772CAB6B 5 Bytes JMP 002B0FC3
.text C:\Windows\system32\svchost.exe[3460] msvcrt.dll!_creat 772CE711 5 Bytes JMP 002B0029
.text C:\Windows\system32\svchost.exe[3460] msvcrt.dll!_wcreat 772CF9C6 5 Bytes JMP 002B0FD4
.text C:\Windows\system32\svchost.exe[3460] msvcrt.dll!_wopen 772CFBA1 5 Bytes JMP 002B0FEF
.text C:\Windows\system32\svchost.exe[3460] ADVAPI32.dll!RegCreateKeyW 776F8229 5 Bytes JMP 002E0FB2
.text C:\Windows\system32\svchost.exe[3460] ADVAPI32.dll!RegCreateKeyExA 77703941 5 Bytes JMP 002E0FA1
.text C:\Windows\system32\svchost.exe[3460] ADVAPI32.dll!RegCreateKeyA 77703B9F 5 Bytes JMP 002E0033
.text C:\Windows\system32\svchost.exe[3460] ADVAPI32.dll!RegCreateKeyExW 777104A2 5 Bytes JMP 002E0070
.text C:\Windows\system32\svchost.exe[3460] ADVAPI32.dll!RegOpenKeyExA 77710DDF 5 Bytes JMP 002E0FD4
.text C:\Windows\system32\svchost.exe[3460] ADVAPI32.dll!RegOpenKeyW 77717B8D 5 Bytes JMP 002E0FEF
.text C:\Windows\system32\svchost.exe[3460] ADVAPI32.dll!RegOpenKeyA 7771EAEA 5 Bytes JMP 002E000A
.text C:\Windows\system32\svchost.exe[3460] ADVAPI32.dll!RegOpenKeyExW 77725ECD 5 Bytes JMP 002E0FC3
.text C:\Windows\system32\svchost.exe[3460] WININET.dll!InternetOpenA 773BC879 5 Bytes JMP 002C0000
.text C:\Windows\system32\svchost.exe[3460] WININET.dll!InternetOpenW 773BCEA9 5 Bytes JMP 002C0011
.text C:\Windows\system32\svchost.exe[3460] WININET.dll!InternetOpenUrlA 773C0BD2 5 Bytes JMP 002C0FDB
.text C:\Windows\system32\svchost.exe[3460] WININET.dll!InternetOpenUrlW 7740B079 5 Bytes JMP 002C0FB6
.text C:\Windows\system32\svchost.exe[3460] WS2_32.dll!socket 77E94358 5 Bytes JMP 00920000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[3736] kernel32.dll!LoadLibraryW 7762971F 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[3736] kernel32.dll!LoadLibraryA 77629A96 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\system32\wuauclt.exe[4248] kernel32.dll!VirtualProtect 776018BF 5 Bytes JMP 00060F81
.text C:\Windows\system32\wuauclt.exe[4248] kernel32.dll!GetStartupInfoW 7760191A 5 Bytes JMP 00060091
.text C:\Windows\system32\wuauclt.exe[4248] kernel32.dll!GetStartupInfoA 776019B8 5 Bytes JMP 00060080
.text C:\Windows\system32\wuauclt.exe[4248] kernel32.dll!CreateProcessW 77601D27 5 Bytes JMP 000600BD
.text C:\Windows\system32\wuauclt.exe[4248] kernel32.dll!CreateProcessA 77601D5C 5 Bytes JMP 000600AC
.text C:\Windows\system32\wuauclt.exe[4248] kernel32.dll!CreateNamedPipeA 77602484 5 Bytes JMP 00060FD4
.text C:\Windows\system32\wuauclt.exe[4248] kernel32.dll!WinExec 776032DF 5 Bytes JMP 00060F26
.text C:\Windows\system32\wuauclt.exe[4248] kernel32.dll!CreateNamedPipeW 7760EDFE 5 Bytes JMP 0006002F
.text C:\Windows\system32\wuauclt.exe[4248] kernel32.dll!CreatePipe 7761B0AF 5 Bytes JMP 00060F55
.text C:\Windows\system32\wuauclt.exe[4248] kernel32.dll!VirtualProtectEx 776260AB 5 Bytes JMP 00060F66
.text C:\Windows\system32\wuauclt.exe[4248] kernel32.dll!LoadLibraryExW 776295A7 5 Bytes JMP 0006005B
.text C:\Windows\system32\wuauclt.exe[4248] kernel32.dll!LoadLibraryW 7762971F 5 Bytes JMP 00060FB9
.text C:\Windows\system32\wuauclt.exe[4248] kernel32.dll!LoadLibraryExA 77629A6E 5 Bytes JMP 00060FA8
.text C:\Windows\system32\wuauclt.exe[4248] kernel32.dll!LoadLibraryA 77629A96 5 Bytes JMP 00060040
.text C:\Windows\system32\wuauclt.exe[4248] kernel32.dll!GetProcAddress 77644110 5 Bytes JMP 00060F15
.text C:\Windows\system32\wuauclt.exe[4248] kernel32.dll!CreateFileW 7764866C 5 Bytes JMP 0006000A
.text C:\Windows\system32\wuauclt.exe[4248] kernel32.dll!CreateFileA 77648CA4 5 Bytes JMP 00060FE5
.text C:\Windows\system32\wuauclt.exe[4248] msvcrt.dll!_open 7729A890 5 Bytes JMP 000C0FEF
.text C:\Windows\system32\wuauclt.exe[4248] msvcrt.dll!_wsystem 772CAA4F 5 Bytes JMP 000C005D
.text C:\Windows\system32\wuauclt.exe[4248] msvcrt.dll!system 772CAB6B 5 Bytes JMP 000C0042
.text C:\Windows\system32\wuauclt.exe[4248] msvcrt.dll!_creat 772CE711 5 Bytes JMP 000C0FD2
.text C:\Windows\system32\wuauclt.exe[4248] msvcrt.dll!_wcreat 772CF9C6 5 Bytes JMP 000C0027
.text C:\Windows\system32\wuauclt.exe[4248] msvcrt.dll!_wopen 772CFBA1 5 Bytes JMP 000C000C
.text C:\Windows\system32\wuauclt.exe[4248] ADVAPI32.dll!RegCreateKeyW 776F8229 5 Bytes JMP 000D0F81
.text C:\Windows\system32\wuauclt.exe[4248] ADVAPI32.dll!RegCreateKeyExA 77703941 5 Bytes JMP 000D0F70
.text C:\Windows\system32\wuauclt.exe[4248] ADVAPI32.dll!RegCreateKeyA 77703B9F 5 Bytes JMP 000D0016
.text C:\Windows\system32\wuauclt.exe[4248] ADVAPI32.dll!RegCreateKeyExW 777104A2 5 Bytes JMP 000D0F53
.text C:\Windows\system32\wuauclt.exe[4248] ADVAPI32.dll!RegOpenKeyExA 77710DDF 5 Bytes JMP 000D0FB9
.text C:\Windows\system32\wuauclt.exe[4248] ADVAPI32.dll!RegOpenKeyW 77717B8D 5 Bytes JMP 000D0FCA
.text C:\Windows\system32\wuauclt.exe[4248] ADVAPI32.dll!RegOpenKeyA 7771EAEA 5 Bytes JMP 000D0FEF
.text C:\Windows\system32\wuauclt.exe[4248] ADVAPI32.dll!RegOpenKeyExW 77725ECD 5 Bytes JMP 000D0F9C
.text C:\Windows\system32\wuauclt.exe[4248] WININET.dll!InternetOpenA 773BC879 5 Bytes JMP 00200FEF
.text C:\Windows\system32\wuauclt.exe[4248] WININET.dll!InternetOpenW 773BCEA9 5 Bytes JMP 00200000
.text C:\Windows\system32\wuauclt.exe[4248] WININET.dll!InternetOpenUrlA 773C0BD2 5 Bytes JMP 0020001B
.text C:\Windows\system32\wuauclt.exe[4248] WININET.dll!InternetOpenUrlW 7740B079 5 Bytes JMP 0020002C
.text C:\Windows\explorer.exe[5248] kernel32.dll!VirtualProtect 776018BF 5 Bytes JMP 00050062
.text C:\Windows\explorer.exe[5248] kernel32.dll!GetStartupInfoW 7760191A 5 Bytes JMP 00050F37
.text C:\Windows\explorer.exe[5248] kernel32.dll!GetStartupInfoA 776019B8 5 Bytes JMP 00050F52
.text C:\Windows\explorer.exe[5248] kernel32.dll!CreateProcessW 77601D27 5 Bytes JMP 00050F12
.text C:\Windows\explorer.exe[5248] kernel32.dll!CreateProcessA 77601D5C 5 Bytes JMP 000500B3
.text C:\Windows\explorer.exe[5248] kernel32.dll!CreateNamedPipeA 77602484 5 Bytes JMP 00050025
.text C:\Windows\explorer.exe[5248] kernel32.dll!WinExec 776032DF 5 Bytes JMP 00050098
.text C:\Windows\explorer.exe[5248] kernel32.dll!CreateNamedPipeW 7760EDFE 5 Bytes JMP 00050FD4
.text C:\Windows\explorer.exe[5248] kernel32.dll!CreatePipe 7761B0AF 5 Bytes JMP 00050073
.text C:\Windows\explorer.exe[5248] kernel32.dll!VirtualProtectEx 776260AB 5 Bytes JMP 00050F6D
.text C:\Windows\explorer.exe[5248] kernel32.dll!LoadLibraryExW 776295A7 5 Bytes JMP 00050051
.text C:\Windows\explorer.exe[5248] kernel32.dll!LoadLibraryW 7762971F 5 Bytes JMP 00050F9E
.text C:\Windows\explorer.exe[5248] kernel32.dll!LoadLibraryExA 77629A6E 5 Bytes JMP 00050040
.text C:\Windows\explorer.exe[5248] kernel32.dll!LoadLibraryA 77629A96 5 Bytes JMP 00050FB9
.text C:\Windows\explorer.exe[5248] kernel32.dll!GetProcAddress 77644110 5 Bytes JMP 000500C4
.text C:\Windows\explorer.exe[5248] kernel32.dll!CreateFileW 7764866C 5 Bytes JMP 00050FE5
.text C:\Windows\explorer.exe[5248] kernel32.dll!CreateFileA 77648CA4 5 Bytes JMP 00050000
.text C:\Windows\explorer.exe[5248] ADVAPI32.dll!RegCreateKeyW 776F8229 5 Bytes JMP 00070042
.text C:\Windows\explorer.exe[5248] ADVAPI32.dll!RegCreateKeyExA 77703941 5 Bytes JMP 00070053
.text C:\Windows\explorer.exe[5248] ADVAPI32.dll!RegCreateKeyA 77703B9F 5 Bytes JMP 00070FB7
.text C:\Windows\explorer.exe[5248] ADVAPI32.dll!RegCreateKeyExW 777104A2 5 Bytes JMP 00070064
.text C:\Windows\explorer.exe[5248] ADVAPI32.dll!RegOpenKeyExA 77710DDF 5 Bytes JMP 00070FE5
.text C:\Windows\explorer.exe[5248] ADVAPI32.dll!RegOpenKeyW 77717B8D 5 Bytes JMP 00070011
.text C:\Windows\explorer.exe[5248] ADVAPI32.dll!RegOpenKeyA 7771EAEA 5 Bytes JMP 00070000
.text C:\Windows\explorer.exe[5248] ADVAPI32.dll!RegOpenKeyExW 77725ECD 5 Bytes JMP 00070FD4
.text C:\Windows\explorer.exe[5248] msvcrt.dll!_open 7729A890 5 Bytes JMP 0008000C
.text C:\Windows\explorer.exe[5248] msvcrt.dll!_wsystem 772CAA4F 2 Bytes JMP 00080049
.text C:\Windows\explorer.exe[5248] msvcrt.dll!_wsystem + 3 772CAA52 2 Bytes [DB, 88]
.text C:\Windows\explorer.exe[5248] msvcrt.dll!system 772CAB6B 5 Bytes JMP 00080FBE
.text C:\Windows\explorer.exe[5248] msvcrt.dll!_creat 772CE711 5 Bytes JMP 0008001D
.text C:\Windows\explorer.exe[5248] msvcrt.dll!_wcreat 772CF9C6 5 Bytes JMP 0008002E
.text C:\Windows\explorer.exe[5248] msvcrt.dll!_wopen 772CFBA1 5 Bytes JMP 00080FE3
.text C:\Windows\explorer.exe[5248] WININET.dll!InternetOpenA 773BC879 5 Bytes JMP 00950FEF
.text C:\Windows\explorer.exe[5248] WININET.dll!InternetOpenW 773BCEA9 5 Bytes JMP 0095000A
.text C:\Windows\explorer.exe[5248] WININET.dll!InternetOpenUrlA 773C0BD2 5 Bytes JMP 00950025
.text C:\Windows\explorer.exe[5248] WININET.dll!InternetOpenUrlW 7740B079 5 Bytes JMP 00950FD4
.text C:\Windows\explorer.exe[5248] WS2_32.dll!socket 77E94358 5 Bytes JMP 00AA0000

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\explorer.exe[5248] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCloneImage] [7516FD78] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5248] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI] [7513BBF1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5248] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [7512A31F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5248] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode] [7512CBFF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5248] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC] [75128AB2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5248] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromStream] [7513D168] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5248] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageHeight] [75127D98] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5248] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageWidth] [75127CFF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5248] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDisposeImage] [75126A54] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5248] @ C:\Windows\explorer.exe [gdiplus.dll!GdipLoadImageFromFileICM] [751BC1BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5248] @ C:\Windows\explorer.exe [gdiplus.dll!GdipLoadImageFromFile] [751480FE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5248] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics] [751290CD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5248] @ C:\Windows\explorer.exe [gdiplus.dll!GdipFree] [7513223C] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5248] @ C:\Windows\explorer.exe [gdiplus.dll!GdipAlloc] [75132267] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5248] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusShutdown] [7513771C] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5248] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusStartup] [7513753E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[5248] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromStreamICM] [75168585] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\BTHUSB \Device\0000007b bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\0000007b bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\0000007d bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\0000007d bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001c26f430cf
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001c26f430cf (not active ControlSet)

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\iastor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#7 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:09:23 AM

Posted 28 November 2009 - 05:47 PM

Hi!

You are still having the redirects, is that correct?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#8 Amanda78

Amanda78
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 28 November 2009 - 06:25 PM

Yes, I'm definitely still having redirect issues as well as pop-up issues. When I just logged into bleepingcomputer.com, once I entered my user name and password, Firefox opened a new window with five tabs in it, all from spam sites...

Amanda

#9 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:09:23 AM

Posted 29 November 2009 - 09:35 PM

Hello, Amanda78.
We need to download and run ComboFix (by sUBs)
  • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
    They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". For more details, please check this thread
  • Please download ComboFix from one of these locations:
    Link 1
    Link 2
    ** IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    The Recovery Console was successfully installed. Click 'Yes' to continue scanning for malware. Click 'No' to exit
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a new HijackThis log.
**A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
**This tool is not a toy and not for everyday use.
**ComboFix SHOULD NOT be used unless requested by a forum helper


In your next reply, please include the following:
  • ComboFix.txt
  • Fresh HijackThis Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#10 Amanda78

Amanda78
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 29 November 2009 - 11:10 PM

Okay, when I ran ComboFix, it told me that SuperAntiSpyware and Spyware Doctor were still running. I uninstalled those programs a couple of weeks ago and have no idea why they are still running. They didn't show up in the task manager anywhere so I could not disable them before running ComboFix. I went ahead and took the chance and ran the scan anyway. Also after ComboFix rebooted my computer, I noticed two new icons on my desktop. One is Internet Explorer and the other is a notepad file named "catchme.log". I'm not sure if ComboFix does this or what but I thought I'd mention it... Here are the logs:

ComboFix 09-11-29.03 - Amanda 11/29/2009 22:28.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2046.825 [GMT -5:00]
Running from: c:\users\Amanda\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: McAfee VirusScan *disabled* (Updated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: Spyware Doctor *enabled* (Updated) {1C3EDD79-273E-46ac-99F8-EFA9E7CBC301}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
* Resident AV is active

.
ADS - Windows: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1400113804-1914402855-3429530994-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-2518359263-3165569482-3143533669-500
c:\users\Amanda\AppData\Roaming\inst.exe
c:\windows\system32\ndisapi.dll

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-30 )))))))))))))))))))))))))))))))
.

2009-11-30 03:45 . 2009-11-30 03:45 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2009-11-30 03:45 . 2009-11-30 03:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-28 02:52 . 2009-11-28 02:53 -------- d-----w- C:\rsit
2009-11-22 23:20 . 2009-11-22 23:20 17237488 ----a-w- c:\users\Amanda\AppData\Roaming\Real\Update\setup3.09\rp\RealPlayerSPGold.exe
2009-11-22 23:20 . 2009-11-22 23:20 8405312 ----a-w- c:\users\Amanda\AppData\Roaming\Real\Update\setup3.09\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2009-11-22 23:19 . 2009-11-22 23:19 149000 ----a-w- c:\users\Amanda\AppData\Roaming\Real\Update\setup3.09\chr_helper\LaunchHelper.exe
2009-11-22 23:19 . 2009-11-22 23:19 10309448 ----a-w- c:\users\Amanda\AppData\Roaming\Real\Update\setup3.09\chr\ChromeInstaller.exe
2009-11-22 23:19 . 2009-11-22 23:19 79368 ----a-w- c:\users\Amanda\AppData\Roaming\Real\Update\setup3.09\RUP\vista.exe
2009-11-22 23:19 . 2009-11-22 23:19 52288 ----a-w- c:\users\Amanda\AppData\Roaming\Real\Update\setup3.09\RUP\inst_config\gtapi.dll
2009-11-22 23:19 . 2009-11-22 23:19 64000 ----a-w- c:\users\Amanda\AppData\Roaming\Real\Update\setup3.09\RUP\inst_config\gcapi_dll.dll
2009-11-22 23:19 . 2009-11-22 23:19 50688 ----a-w- c:\users\Amanda\AppData\Roaming\Real\Update\setup3.09\RUP\inst_config\fftbapi.dll
2009-11-22 23:19 . 2009-11-22 23:19 118784 ----a-w- c:\users\Amanda\AppData\Roaming\Real\Update\setup3.09\RUP\inst_config\compat.dll
2009-11-22 21:44 . 2009-11-22 21:44 -------- d-----w- c:\users\Amanda\AppData\Local\Apple Computer
2009-11-22 15:18 . 2009-11-22 15:18 439816 ----a-w- c:\users\Amanda\AppData\Roaming\Real\Update\setup3.09\setup.exe
2009-11-19 03:02 . 2009-11-19 03:03 -------- d-----w- c:\users\Amanda\AppData\Local\Adobe
2009-11-17 04:21 . 2009-11-17 02:58 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-17 02:50 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-17 02:49 . 2009-11-17 02:49 4096 dc-h--w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-17 02:49 . 2009-10-03 08:15 2924848 -c--a-w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-17 02:49 . 2009-11-17 02:50 -------- d-----w- c:\programdata\Lavasoft
2009-11-17 02:49 . 2009-11-17 02:49 -------- d-----w- c:\program files\Lavasoft
2009-11-09 02:55 . 2009-11-03 01:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-08 18:57 . 2009-11-12 02:52 -------- d-----w- c:\users\Amanda\AppData\Local\skcrna
2009-11-07 20:14 . 2009-11-07 20:14 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-11-07 20:14 . 2009-11-13 02:06 -------- d-----w- c:\users\Amanda\AppData\Roaming\SUPERAntiSpyware.com
2009-11-07 20:14 . 2009-11-13 02:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-07 18:21 . 2009-11-07 18:21 -------- d-----w- c:\users\Amanda\AppData\Roaming\Malwarebytes
2009-11-07 18:21 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-07 18:21 . 2009-11-07 18:21 -------- d-----w- c:\programdata\Malwarebytes
2009-11-07 18:21 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-07 18:21 . 2009-11-07 18:21 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-30 03:46 . 2007-08-20 12:46 12 ----a-w- c:\windows\bthservsdp.dat
2009-11-27 14:41 . 2008-02-29 03:50 7592 ----a-w- c:\users\Amanda\AppData\Local\d3d9caps.dat
2009-11-19 21:51 . 2009-11-17 02:58 862040 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-11-19 21:51 . 2009-11-17 02:58 206944 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-11-17 02:58 . 2009-11-17 02:58 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-17 02:58 . 2009-11-17 02:58 93360 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2009-11-17 02:58 . 2009-11-17 02:58 554280 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\sbap.dll
2009-11-17 02:58 . 2009-11-17 02:58 15880 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-11-17 02:58 . 2009-11-17 02:58 283944 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Vipre.dll
2009-11-17 02:58 . 2009-11-17 02:58 212480 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\VipreBridge.dll
2009-11-17 02:58 . 2009-11-17 02:58 1223976 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\SBTE.dll
2009-11-17 02:58 . 2009-11-17 02:58 242984 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\SBRE.dll
2009-11-17 02:58 . 2009-11-17 02:58 5908024 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Resources.dll
2009-11-14 20:08 . 2008-09-21 14:22 4096 d-----w- c:\program files\Microsoft Silverlight
2009-11-13 02:06 . 2008-05-14 00:09 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-21 01:25 . 2009-10-21 01:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-21 01:25 . 2007-08-20 12:54 -------- d-----w- c:\program files\Java
2009-10-04 22:14 . 2007-08-20 12:54 12288 d--h--w- c:\program files\InstallShield Installation Information
2009-09-21 21:09 . 2009-09-21 21:09 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-16 14:22 . 2007-08-20 13:05 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2007-08-20 13:05 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2007-08-20 13:05 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2007-08-20 13:05 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2007-08-20 13:05 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2007-08-20 12:59 . 2007-08-20 12:59 76 --sh--r- c:\windows\CT4CET.bin
2007-08-20 20:40 . 2007-08-20 20:37 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-27 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-08-20 1006264]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-28 857648]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-09 36864]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-06-25 405504]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-10-05 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-05 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-05 81920]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2007-10-05 86016]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-01-12 488984]
"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-01-12 244512]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-27 185896]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-01-23 101136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"DelayShred"="c:\program files\mcafee\mshr\ShrCL.EXE" [2009-09-25 113168]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-3 703280]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-8-20 50688]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]
QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-8-20 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Amanda^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Amanda\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2518359263-3165569482-3143533669-1000]
"EnableNotificationsRef"=dword:00000001

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [11/16/2009 9:50 PM 64288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder

2009-09-02 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 16:22]

2009-09-02 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 16:22]

2009-11-30 c:\windows\Tasks\User_Feed_Synchronization-{DD3F53E4-F1AC-420B-B3EF-93F3BB4B968A}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1070820
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\qxuk5664.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npImgCtl.dll
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Ad-Aware - c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-NVIDIA Drivers - c:\windows\system32\NVUNINST.EXE UninstallGUI
AddRemove-QNAP_FINDER - c:\program files\QNAP\Finder\qnapuninstall.exe QNAP_FINDER
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-29 22:48
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys hal.dll >>UNKNOWN [0x8523350C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x82faed1f
\Driver\ACPI -> acpi.sys @ 0x804699d6
\Driver\atapi -> ataport.SYS @ 0x806219ba
\Driver\iaStor -> iastor.sys @ 0x8064cc1a
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\S-1-5-21-2518359263-3165569482-3143533669-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e3,81,70,d0,5d,1f,d7,01,36,92,5f,8a,27,ce,d9,58,39,26,16,a0,a1,8f,a7,
50,ba,f1,68,9e,9c,b3,48,82,34,11,c9,f3,20,86,fd,0a,4d,68,76,28,76,60,78,68,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(700)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'Explorer.exe'(4324)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\program files\Pure Networks\Network Magic\nmrsrc.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\AAWService.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Dell\QuickSet\quickset.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Common Files\Seagate\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe
c:\program files\McAfee\SiteAdvisor\McSACore.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\windows\system32\rundll32.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Seagate\Sync\SeaSyncServices.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\STacSV.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\progra~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\progra~1\mcafee\VIRUSS~1\mcvsmap.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-11-29 23:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-30 04:03

Pre-Run: 41,312,989,184 bytes free
Post-Run: 41,462,005,760 bytes free

- - End Of File - - 8F44C560A850E2FD7B0F20A9DE11A684

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:39 PM, on 11/29/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16851)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Users\Amanda\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] "C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] "rundll32.exe" C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P7 /q C:\Users\Amanda\AppData\Local\Temp\HSPERF~1.SH! (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P7 /q C:\Users\Amanda\AppData\Local\Temp\HSPERF~1.SH! (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: McAfee Security Scan.lnk = ?
O4 - Global Startup: QuickSet.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)
O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program Files\Seagate\Sync\SeaSyncServices.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9883 bytes

#11 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:09:23 AM

Posted 01 December 2009 - 04:38 PM

Hello, Amanda78.
For SuperAntiSpyware and Spyware Doctor, try reinstalling them and uninstalling them through the control panel again. If this still doesn't fix your problem, let me know

NEXT:

We need to run SystemLook
  • Please download SystemLook from jpshortstuff and save it to your Desktop
    Download Mirror #1
    Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    :filefind
    iastor.sys
  • Hit the Look button. Let it finish the scan
  • A log will then be saved to your Desktop.. Post the content of the log here in your next reply

In your next reply, please include the following:
  • SystemLook Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#12 Amanda78

Amanda78
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 01 December 2009 - 05:25 PM

Here is the log from SystemLook:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 17:21 on 01/12/2009 by Amanda (Administrator - Elevation successful)

========== filefind ==========

Searching for "iastor.sys"
C:\Drivers\storage\R154200\iastor.sys --a--- 277784 bytes [20:34 20/08/2007] [21:36 12/02/2007] FD7F9D74C2B35DBDA400804A3F5ED5D8
C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_1cb29a96\iaStor.sys --a--- 277784 bytes [20:41 20/08/2007] [21:36 12/02/2007] FD7F9D74C2B35DBDA400804A3F5ED5D8
C:\Windows\System32\DriverStore\FileRepository\iastor.inf_8f0cb06b\iaStor.sys --a--- 277784 bytes [20:41 20/08/2007] [21:36 12/02/2007] FD7F9D74C2B35DBDA400804A3F5ED5D8
C:\Windows\System32\drivers\iaStor.sys --a--- 277784 bytes [20:41 20/08/2007] [21:36 12/02/2007] 0F152BA755C55D4C4654BEF3954E38BC

-=End Of File=-


Amanda

#13 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:09:23 AM

Posted 01 December 2009 - 06:19 PM

Hello, Amanda78.
We need to run an Avenger script
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C. Do not copy the word "code".
    Files to move:
    C:\Drivers\storage\R154200\iastor.sys | C:\windows\system32\drivers\iastor.sys
  • In the avenger window, click the Paste Script from Clipboard button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.

    Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.

  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.
In your next reply, please include the following:
  • Avenger Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#14 Amanda78

Amanda78
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 01 December 2009 - 08:08 PM

Okay, I ran Avenger as you said but when the first reboot question came up, so did my McAfee Alert box. McAfee said it blocked and removed a trojan. I closed the alert and let the computer reboot. When it came up after reboot, I got an error box from Microsoft saying a program couldn't start. I looked at the details and the program that was trying to run was "dsca.exe". I closed that and waited to see if Avenger would come back up or the log would pop up and nothing happened. I looked for the log file and it had not been created. So I figured McAfee stopped it from running properly and I turned off my anti-virus, spyware, etc protection and ran Avenger again. This time no McAfee alert box. The computer rebooted and the same error box popped up. This time I copied the details so I could post them in this reply. After I closed that box, I looked for the log file from Avenger and this time it was there. So below I'm posting the error info first and then the Avenger log info. I hope I didn't do anything wrong. Let me know... Thanks!!!

Problem signature:
Problem Event Name: APPCRASH
Application Name: dsca.exe
Application Version: 1.0.2767.18581
Application Timestamp: 46ae0f8b
Fault Module Name: StackHash_27f2
Fault Module Version: 0.0.0.0
Fault Module Timestamp: 00000000
Exception Code: c0000005
Exception Offset: 0001102e
OS Version: 6.0.6000.2.0.0.768.3
Locale ID: 1033
Additional Information 1: 27f2
Additional Information 2: 325055436168101a578479ab72a66d1a
Additional Information 3: 21e2
Additional Information 4: c8b0deb27397de66dbbb0cb7ca788765


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not move file "C:\Drivers\storage\R154200\iastor.sys"
File move operation "C:\Drivers\storage\R154200\iastor.sys|C:\windows\system32\drivers\iastor.sys" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished! Terminate.

#15 Amanda78

Amanda78
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 01 December 2009 - 08:12 PM

On a good note, I just tried out Yahoo and Google and the search redirect issue didn't occur... Not sure if that means I'm cured or just on the road to recovery... :D

Amanda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users