Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Searches being redirected


  • This topic is locked This topic is locked
14 replies to this topic

#1 Joeymac

Joeymac

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 28 November 2009 - 01:52 PM

My browser is being hijacked to various sites. I have run Super Anti Spyware, Malwarebytes, CC cleaner. AdAware but have not had any luck. I ran DDS and GMER and posting the logs. Any help in removal is greatly appreciated


DDS (Ver_09-11-24.02) - NTFSx86
Run by Joe McKain at 16:41:16.93 on Fri 11/27/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.115 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\FreezeScreenSaver.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\System32\mshta.exe
C:\Documents and Settings\Joe McKain\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www6.comcast.net/a/
uLocal Page = \blank.htm
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {12723304-463C-4377-8FEE-FCAB14BF8083} - No File
BHO: {722D2939-A14A-41A9-9EAC-AB8F4E295819} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Advertising Cookie Opt-out: {8e425eb4-adbd-4816-b1e8-49bb9decf034} - c:\program files\google\advertising cookie opt-out\opt_out.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {40D41A8B-D79B-43D7-99A7-9EE0F344C385} - No File
TB: {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\comcast\comcas~1\data\xtras\mssysmgr.exe
uRun: [DelayShred] c:\progra~1\mcafee\mshr\shrcl.exe /p7 /q c:\docume~1\joemck~1\locals~1\temp\tempor~1\content.ie5\qh0nebcn.sh! c:\docume~1\joemck~1\locals~1\temp\tempor~1\content.ie5\odirc1u9.sh! c:\docume~1\joemck~1\locals~1\temp\tempor~1\content.ie5\khsz6luf.sh! c:\docume~1\joemck~1\locals~1\temp\tempor~1\content.ie5\01k1s72t.sh! c:\docume~1\joemck~1\locals~1\temp\tempor~1\content.sh! c:\docume~1\joemck~1\locals~1\temp\tempor~1.sh! c:\docume~1\joemck~1\locals~1\temp\tempor~1.sh!\content.sh!\qh0nebcn.sh! c:\docume~1\joemck~1\locals~1\temp\tempor~1.sh!\content.sh!\odirc1u9.sh! c:\docume~1\joemck~1\locals~1\temp\tempor~1.sh!\content.sh!\khsz6luf.sh! c:\docume~1\joemck~1\locals~1\temp\tempor~1.sh!\content.sh!\01k1s72t.sh! c:\docume~1\joemck~1\locals~1\temp\tempor~1.sh!\content.sh! c:\docume~1\joemck~1\locals~1\tempor~1\content.ie5\3a5a017i\ffffff~3.sh! c:\docume~1\joemck~1\locals~1\tempor~1\content.ie5\fctz7bbk\patrio~1.sh! c:\docume~1\joemck~1\locals~1\tempor~1\content.ie5\9azemh6f\ffffff~1.sh! c:\docume~1\joemck~1\locals~1\temp\svf3l.sh! c:\docume~1\joemck~1\locals~1\temp\hsperf~1.sh! c:\docume~1\joemck~1\locals~1\temp\google~1.sh! c:\docume~1\joemck~1\locals~1\temp\mproje~2.sh! c:\docume~1\joemck~1\locals~1\tempor~1\content.ie5\n5ldevg5\syncme~1.sh! c:\docume~1\joemck~1\locals~1\tempor~1\content.ie5\orp1gvq3\syncme~1.sh! c:\docume~1\joemck~1\locals~1\temp\tempor~1\content.ie5\x2nq3k0f.sh! c:\docume~1\joemck~1\locals~1\temp\tempor~1\content.ie5\ig3qoiqy.sh! c:\docume~1\joemck~1\locals~1\temp\history\history.sh! c:\docume~1\joemck~1\locals~1\temp\history.sh! c:\docume~1\joemck~1\locals~1\temp\cookies.sh! c:\docume~1\joemck~1\locals~1\tempor~1\content.ie5\ijfmxoxc\live_1~1.sh! c:\docume~1\joemck~1\locals~1\tempor~1\content.ie5\ww7qstl3\LPP_1_~1.SH!
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nForce Tray Options] sstray.exe /r
mRun: [CXMon] "c:\program files\hewlett-packard\photosmart\photo imaging\Hpi_Monitor.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\joemck~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office12\GROOVE.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\BigFix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\progra~1\aim\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-10 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R2 FreezeScreenSaver;FreezeScreenSaver;c:\windows\system32\FreezeScreenSaver.exe [2008-9-24 69632]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1184912]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
R4 PCTCore;PCTools KDS;c:\windows\system32\drivers\pctcore.sys --> c:\windows\system32\drivers\PCTCore.sys [?]
S2 0084471258602410mcinstcleanup;McAfee Application Installer Cleanup (0084471258602410);c:\windows\temp\008447~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\008447~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 gupdate1c9a35abd5c4136;Google Update Service (gupdate1c9a35abd5c4136);c:\program files\google\update\GoogleUpdate.exe [2009-3-12 133104]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2009-2-25 13088]

=============== Created Last 30 ================

2009-11-27 18:18:31 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-11-27 18:12:50 0 d-----w- c:\program files\common files\PC Tools
2009-11-27 18:12:48 0 d-----w- c:\program files\Spyware Doctor
2009-11-27 16:05:49 104703 -c--a-w- C:\MGlogs.zip
2009-11-27 16:05:17 0 dc----w- C:\MGtools
2009-11-27 16:02:23 0 dcs---w- C:\ComboFix
2009-11-26 14:48:33 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-11-26 14:47:40 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-26 14:47:40 0 d-----w- c:\docume~1\joemck~1\applic~1\SUPERAntiSpyware.com
2009-11-26 14:46:51 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-11-25 23:12:50 0 d-----w- c:\program files\CCleaner
2009-11-23 11:37:05 434 -c--a-w- C:\2.js
2009-11-18 02:24:44 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-13 23:25:29 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-10 23:23:00 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-10 22:24:03 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-29 23:07:20 0 dc----w- C:\users

==================== Find3M ====================

2009-11-27 13:52:27 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-30 19:44:51 356352 ----a-w- c:\windows\system32\pc.exe
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2006-09-07 01:14:28 21290704 ----a-w- c:\program files\AdbeRdr708_en_US.exe
2006-09-07 01:13:14 7050552 ----a-w- c:\program files\psa30se_en_us.exe
2006-09-07 01:12:49 762512 ----a-w- c:\program files\ytb612_efgsip.exe
2006-01-22 03:22:46 774144 ----a-w- c:\program files\RngInterstitial.dll
2003-11-21 20:13:48 5387 ----a-r- c:\program files\Setup.ini
2003-09-22 16:26:56 435 ----a-r- c:\program files\layout.bin
2003-09-22 16:26:56 108233 ----a-r- c:\program files\data2.cab
2003-09-22 16:26:54 47160 ----a-r- c:\program files\data1.hdr
2003-09-22 16:26:54 4635940 ----a-r- c:\program files\data1.cab
2003-09-22 16:26:46 211712 ----a-r- c:\program files\setup.inx
2001-09-05 08:24:02 344923 ----a-r- c:\program files\ikernel.ex_
2003-03-31 12:00:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12:07 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:11:56 1028096 --sha-w- c:\windows\system32\mfc42.dll
2008-04-14 00:12:01 57344 --sha-w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12:01 343040 --sha-w- c:\windows\system32\msvcrt.dll
2008-04-14 00:12:32 11776 --sh--w- c:\windows\system32\regsvr32.exe
2008-10-18 07:07:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101820081019\index.dat

============= FINISH: 16:44:45.73 ===============
GMER file
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-28 13:52:24
Windows 5.1.2600 Service Pack 3
Running: xp0urg27.exe; Driver: C:\DOCUME~1\JOEMCK~1\LOCALS~1\Temp\pwtdapod.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF755787E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7557BFE]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEB04A0B0]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEB36178A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEB361738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEB36174C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xEB361837]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xEB361863]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xEB3618D1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xEB3618BB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEB3617CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xEB3618FD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xEB36180D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEB361710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEB361724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEB36179E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xEB361939]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xEB36188F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEB361776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEB361762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEB3617F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xEB3618E7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEB3617E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEB3617B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 451 804E2AAD 3 Bytes [A0, 04, EB]
.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP EB3617B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568EE9 5 Bytes JMP EB361811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056A382 7 Bytes JMP EB361893 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056F600 5 Bytes JMP EB36178E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 80570441 5 Bytes JMP EB361766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 805732AD 7 Bytes JMP EB36193D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 805735A4 7 Bytes JMP EB3618D5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805741D0 5 Bytes JMP EB361714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 8057457F 7 Bytes JMP EB3617A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80578606 5 Bytes JMP EB3617E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80578A81 7 Bytes JMP EB3617CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 80581030 7 Bytes JMP EB361750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805836B0 5 Bytes JMP EB3617FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058B58D 5 Bytes JMP EB361728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 8058BA5D 5 Bytes JMP EB361901 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80590669 7 Bytes JMP EB3618BF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D50 7 Bytes JMP EB361867 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 805952BE 7 Bytes JMP EB36183B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP EB36173C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062DD47 5 Bytes JMP EB36177A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064DA6E 7 Bytes JMP EB3618EB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064E394 7 Bytes JMP EB3618A9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064E812 7 Bytes JMP EB361851 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064ED05 5 Bytes JMP EB361915 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064F16E 5 Bytes JMP EB361929 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
init C:\WINDOWS\system32\drivers\nvax.sys entry point in "init" section [0xF6CE4B8D]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 011F0FEF
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 011F0F33
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 011F0F44
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 011F0F6B
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 011F0F7C
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 011F0FA8
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011F0F18
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 011F0054
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011F00A0
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011F0F07
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 011F0EE2
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 011F0F8D
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 011F0FDE
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!CreatePipe 7C81D83F 1 Byte [E9]
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 011F0043
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 011F0014
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 011F0FC3
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 011F007B
.text C:\Program Files\Messenger\msmsgs.exe[236] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 011D0FD2
.text C:\Program Files\Messenger\msmsgs.exe[236] msvcrt.dll!system 77C293C7 5 Bytes JMP 011D005D
.text C:\Program Files\Messenger\msmsgs.exe[236] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 011D0027
.text C:\Program Files\Messenger\msmsgs.exe[236] msvcrt.dll!_open 77C2F566 5 Bytes JMP 011D000C
.text C:\Program Files\Messenger\msmsgs.exe[236] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 011D0042
.text C:\Program Files\Messenger\msmsgs.exe[236] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 011D0FEF
.text C:\Program Files\Messenger\msmsgs.exe[236] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 011E0FD4
.text C:\Program Files\Messenger\msmsgs.exe[236] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 011E0FA8
.text C:\Program Files\Messenger\msmsgs.exe[236] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 011E0025
.text C:\Program Files\Messenger\msmsgs.exe[236] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 011E0FEF
.text C:\Program Files\Messenger\msmsgs.exe[236] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 011E0065
.text C:\Program Files\Messenger\msmsgs.exe[236] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 011E000A
.text C:\Program Files\Messenger\msmsgs.exe[236] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 011E004A
.text C:\Program Files\Messenger\msmsgs.exe[236] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 011E0FC3
.text C:\Program Files\Messenger\msmsgs.exe[236] WS2_32.dll!socket 71AB4211 5 Bytes JMP 011C0FE5
.text C:\Program Files\Messenger\msmsgs.exe[236] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 011B0000
.text C:\Program Files\Messenger\msmsgs.exe[236] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 011B0FEF
.text C:\Program Files\Messenger\msmsgs.exe[236] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 011B0025
.text C:\Program Files\Messenger\msmsgs.exe[236] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 011B0FD4
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C10000
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C1006C
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C10F77
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C10F88
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C10FA5
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C10036
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C10F4B
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C10F5C
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C100C2
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C10F29
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C10F0E
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C10051
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C10FE5
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C10087
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C10FD4
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C10025
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C10F3A
.text C:\WINDOWS\System32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C00FB9
.text C:\WINDOWS\System32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C00051
.text C:\WINDOWS\System32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C0000A
.text C:\WINDOWS\System32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C00FDE
.text C:\WINDOWS\System32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C00F9E
.text C:\WINDOWS\System32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\System32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C00040
.text C:\WINDOWS\System32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C00025
.text C:\WINDOWS\System32\svchost.exe[448] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BF0058
.text C:\WINDOWS\System32\svchost.exe[448] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BF0FCD
.text C:\WINDOWS\System32\svchost.exe[448] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BF0022
.text C:\WINDOWS\System32\svchost.exe[448] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\System32\svchost.exe[448] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BF003D
.text C:\WINDOWS\System32\svchost.exe[448] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BF0FDE
.text C:\WINDOWS\System32\svchost.exe[448] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\System32\svchost.exe[448] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\System32\svchost.exe[448] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 001B0FC3
.text C:\WINDOWS\System32\svchost.exe[448] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 001B001E
.text C:\WINDOWS\System32\svchost.exe[448] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FD000A
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FD00AE
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FD0093
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FD0082
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FD0065
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FD0FC3
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FD0F77
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FD0F94
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FD0F4B
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FD00DA
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FD00FF
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FD004A
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FD001B
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FD00BF
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FD0FD4
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FD0F5C
.text C:\WINDOWS\system32\services.exe[744] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070FC0
.text C:\WINDOWS\system32\services.exe[744] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070F7C
.text C:\WINDOWS\system32\services.exe[744] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070011
.text C:\WINDOWS\system32\services.exe[744] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[744] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070F8D
.text C:\WINDOWS\system32\services.exe[744] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[744] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00070F9E
.text C:\WINDOWS\system32\services.exe[744] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [27, 88]
.text C:\WINDOWS\system32\services.exe[744] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070FAF
.text C:\WINDOWS\system32\services.exe[744] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060FA5
.text C:\WINDOWS\system32\services.exe[744] msvcrt.dll!system 77C293C7 5 Bytes JMP 0006003A
.text C:\WINDOWS\system32\services.exe[744] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060FDE
.text C:\WINDOWS\system32\services.exe[744] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[744] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060029
.text C:\WINDOWS\system32\services.exe[744] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[744] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\services.exe[744] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00040011
.text C:\WINDOWS\system32\services.exe[744] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\services.exe[744] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 0004002C
.text C:\WINDOWS\system32\services.exe[744] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D70000
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D70F81
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D7006C
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D7005B
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D70FA8
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D70FC3
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D70F4B
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D70087
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D700C2
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D70F1F
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D70F04
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D7004A
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D7001B
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D70F5C
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D70FD4
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D70FE5
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D70F3A
.text C:\WINDOWS\system32\lsass.exe[756] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D60F9E
.text C:\WINDOWS\system32\lsass.exe[756] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D6003D
.text C:\WINDOWS\system32\lsass.exe[756] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D60FB9
.text C:\WINDOWS\system32\lsass.exe[756] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D60FD4
.text C:\WINDOWS\system32\lsass.exe[756] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D6002C
.text C:\WINDOWS\system32\lsass.exe[756] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D60FE5
.text C:\WINDOWS\system32\lsass.exe[756] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D6001B
.text C:\WINDOWS\system32\lsass.exe[756] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D6000A
.text C:\WINDOWS\system32\lsass.exe[756] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D50070
.text C:\WINDOWS\system32\lsass.exe[756] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D5005F
.text C:\WINDOWS\system32\lsass.exe[756] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D50029
.text C:\WINDOWS\system32\lsass.exe[756] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D50000
.text C:\WINDOWS\system32\lsass.exe[756] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D50044
.text C:\WINDOWS\system32\lsass.exe[756] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D50FEF
.text C:\WINDOWS\system32\lsass.exe[756] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D4000A
.text C:\WINDOWS\system32\lsass.exe[756] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 0094000A
.text C:\WINDOWS\system32\lsass.exe[756] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 0094001B
.text C:\WINDOWS\system32\lsass.exe[756] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 0094002C
.text C:\WINDOWS\system32\lsass.exe[756] WININET.dll!InternetOpenUrlW 3D998439 1 Byte [E9]
.text C:\WINDOWS\system32\lsass.exe[756] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 0094003D
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0265000A
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02650F6B
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02650F7C
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02650056
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02650F8D
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02650FC3
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02650F3F
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02650087
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 026500BD
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02650F24
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02650F09
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02650FA8
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02650FEF
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02650F50
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0265002F
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02650FDE
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 026500A2
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0264002C
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0264006C
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0264001B
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0264000A
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02640051
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02640FE5
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02640FB9
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [84, 8A]
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02640FCA
.text C:\WINDOWS\system32\svchost.exe[928] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02630049
.text C:\WINDOWS\system32\svchost.exe[928] msvcrt.dll!system 77C293C7 5 Bytes JMP 02630FC8
.text C:\WINDOWS\system32\svchost.exe[928] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02630027
.text C:\WINDOWS\system32\svchost.exe[928] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02630FEF
.text C:\WINDOWS\system32\svchost.exe[928] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02630038
.text C:\WINDOWS\system32\svchost.exe[928] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0263000C
.text C:\WINDOWS\system32\svchost.exe[928] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 02610000
.text C:\WINDOWS\system32\svchost.exe[928] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 02610011
.text C:\WINDOWS\system32\svchost.exe[928] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 02610022
.text C:\WINDOWS\system32\svchost.exe[928] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 02610033
.text C:\WINDOWS\system32\svchost.exe[928] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02620000
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01200FE5
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01200F77
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01200F88
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0120006C
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0120005B
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0120002C
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 012000B3
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 012000A2
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 012000DF
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01200F50
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01200F2B
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01200FAF
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01200000
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01200091
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0120001B
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01200FCA
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 012000CE
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 011F0FAF
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 011F0F79
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 011F0000
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 011F0FD4
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 011F0036
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 011F0FE5
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 011F0025
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 011F0F94
.text C:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 011E0FCF
.text C:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!system 77C293C7 5 Bytes JMP 011E005A
.text C:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 011E002E
.text C:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!_open 77C2F566 5 Bytes JMP 011E0000
.text C:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 011E003F
.text C:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 011E001D
.text C:\WINDOWS\system32\svchost.exe[996] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\svchost.exe[996] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00FF0FDE
.text C:\WINDOWS\system32\svchost.exe[996] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00FF0014
.text C:\WINDOWS\system32\svchost.exe[996] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00FF0025
.text C:\WINDOWS\system32\svchost.exe[996] WS2_32.dll!socket 71AB4211 5 Bytes JMP 011D0000
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 025B0FEF
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 025B0093
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 025B0F94
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 025B0078
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 025B0FAF
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 025B0036
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 025B00B5
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 025B00A4
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 025B00F5
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 025B0F52
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 025B0F41
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 025B0047
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 025B000A
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 025B0F83
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 025B0FCA
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 025B001B
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 025B00D0
.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 023F0FAF
.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 023F0F83
.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 023F0FCA
.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 023F0000
.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 023F0040
.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 023F0FE5
.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 023F0025
.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 023F0F9E
.text C:\WINDOWS\System32\svchost.exe[1092] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 023E0F75
.text C:\WINDOWS\System32\svchost.exe[1092] msvcrt.dll!system 77C293C7 5 Bytes JMP 023E000A
.text C:\WINDOWS\System32\svchost.exe[1092] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 023E0FB5
.text C:\WINDOWS\System32\svchost.exe[1092] msvcrt.dll!_open 77C2F566 5 Bytes JMP 023E0FEF
.text C:\WINDOWS\System32\svchost.exe[1092] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 023E0F9A
.text C:\WINDOWS\System32\svchost.exe[1092] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 023E0FD2
.text C:\WINDOWS\System32\svchost.exe[1092] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 02020000
.text C:\WINDOWS\System32\svchost.exe[1092] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 02020011
.text C:\WINDOWS\System32\svchost.exe[1092] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 02020022
.text C:\WINDOWS\System32\svchost.exe[1092] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 02020FD1
.text C:\WINDOWS\System32\svchost.exe[1092] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02030000
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AA0000
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AA0086
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AA0F91
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AA0075
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AA0058
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AA0FB6
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AA0F6C
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AA00A8
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AA00F1
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AA00D6
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AA0F3D
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AA003D
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AA0FDB
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AA0097
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AA0022
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AA0011
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AA00C5
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A9000A
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A90F72
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A90FB9
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A90FDE
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A90F83
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A90FEF
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A90F9E
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C9, 88]
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A9001B
.text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A80FD4
.text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A80FEF
.text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A8003A
.text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A80000
.text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A8005F
.text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A80029
.text C:\WINDOWS\System32\svchost.exe[1204] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00A60FEF
.text C:\WINDOWS\System32\svchost.exe[1204] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00A6000A
.text C:\WINDOWS\System32\svchost.exe[1204] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00A60FDE
.text C:\WINDOWS\System32\svchost.exe[1204] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00A6002F
.text C:\WINDOWS\System32\svchost.exe[1204] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A70000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00270FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00270F7E
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00270073
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00270062
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00270051
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00270025
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 002700BC
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 002700AB
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00270F59
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 002700F2
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0027010D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00270036
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00270FD4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0027008E
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00270014
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00270FC3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 002700E1
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00360FB2
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00360F61
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00360FC3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00360FDE
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00360F7C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00360FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0036001E
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00360F97
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E351FF7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E351FBC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351F04 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351F3E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352032 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00370F9C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] msvcrt.dll!system 77C293C7 5 Bytes JMP 00370FAD
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00370FE3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0037000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00370FD2
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0037001D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3521F4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00A7000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00A70FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00A70FD4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00A70FC3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00260FE5
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CA0089
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CA0078
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CA0067
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CA004A
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CA0FB9
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CA00C6
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CA00AB
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CA0106
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CA0F63
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CA0121
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CA0FA8
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CA000A
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CA009A
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CA002F
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CA0FD4
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CA00E1
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C90051
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C90FC0
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C90040
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C90025
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C9007D
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C9000A
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C9006C
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\System32\svchost.exe[1480] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C80049
.text C:\WINDOWS\System32\svchost.exe[1480] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C8002E
.text C:\WINDOWS\System32\svchost.exe[1480] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C8001D
.text C:\WINDOWS\System32\svchost.exe[1480] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C80FE3
.text C:\WINDOWS\System32\svchost.exe[1480] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C80FC8
.text C:\WINDOWS\System32\svchost.exe[1480] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C80000
.text C:\WINDOWS\System32\svchost.exe[1480] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00C60000
.text C:\WINDOWS\System32\svchost.exe[1480] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00C60FE5
.text C:\WINDOWS\System32\svchost.exe[1480] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00C60011
.text C:\WINDOWS\System32\svchost.exe[1480] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00C60FC0
.text C:\WINDOWS\System32\svchost.exe[1480] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C7000A
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02170FEF
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 021700A7
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02170096
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0217007B
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02170FB2
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02170FC3
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02170F69
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02170F86
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 021700DD
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 021700CC
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 021700EE
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02170054
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02170000
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02170F97
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02170025
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02170FD4
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02170F4E
.text C:\WINDOWS\Explorer.EXE[1492] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 020E0FC3
.text C:\WINDOWS\Explorer.EXE[1492] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 020E004A
.text C:\WINDOWS\Explorer.EXE[1492] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 020E001E
.text C:\WINDOWS\Explorer.EXE[1492] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 020E0FDE
.text C:\WINDOWS\Explorer.EXE[1492] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 020E0F8D
.text C:\WINDOWS\Explorer.EXE[1492] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 020E0FEF
.text C:\WINDOWS\Explorer.EXE[1492] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 020E0039
.text C:\WINDOWS\Explorer.EXE[1492] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 020E0FB2
.text C:\WINDOWS\Explorer.EXE[1492] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 020D0070
.text C:\WINDOWS\Explorer.EXE[1492] msvcrt.dll!system 77C293C7 5 Bytes JMP 020D0055
.text C:\WINDOWS\Explorer.EXE[1492] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 020D0FEF
.text C:\WINDOWS\Explorer.EXE[1492] msvcrt.dll!_open 77C2F566 5 Bytes JMP 020D0000
.text C:\WINDOWS\Explorer.EXE[1492] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 020D0044
.text C:\WINDOWS\Explorer.EXE[1492] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 020D0029
.text C:\WINDOWS\Explorer.EXE[1492] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 01320000
.text C:\WINDOWS\Explorer.EXE[1492] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 01320011
.text C:\WINDOWS\Explorer.EXE[1492] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 01320FE5
.text C:\WINDOWS\Explorer.EXE[1492] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 01320036
.text C:\WINDOWS\Explorer.EXE[1492] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01C90FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[3552] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[3552] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E20000
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E20F5E
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E20F79
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E20F94
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E20051
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E20036
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E20089
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E20F43
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E20F04
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E20F15
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E200C2
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E20FAF
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E20FDB
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E2006E
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E20FCA
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E20011
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E20F26
.text C:\WINDOWS\System32\svchost.exe[4060] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E1002C
.text C:\WINDOWS\System32\svchost.exe[4060] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E10069
.text C:\WINDOWS\System32\svchost.exe[4060] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E1001B
.text C:\WINDOWS\System32\svchost.exe[4060] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E10FE5
.text C:\WINDOWS\System32\svchost.exe[4060] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E10058
.text C:\WINDOWS\System32\svchost.exe[4060] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E10000
.text C:\WINDOWS\System32\svchost.exe[4060] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E1003D
.text C:\WINDOWS\System32\svchost.exe[4060] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E10FB6
.text C:\WINDOWS\System32\svchost.exe[4060] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E00038
.text C:\WINDOWS\System32\svchost.exe[4060] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E00FAD
.text C:\WINDOWS\System32\svchost.exe[4060] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E0001D
.text C:\WINDOWS\System32\svchost.exe[4060] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E00FEF
.text C:\WINDOWS\System32\svchost.exe[4060] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E00FBE
.text C:\WINDOWS\System32\svchost.exe[4060] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E0000C
.text C:\WINDOWS\System32\svchost.exe[4060] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00DF0FEF
.text C:\WINDOWS\System32\svchost.exe[4060] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00DF000A
.text C:\WINDOWS\System32\svchost.exe[4060] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00DF0025
.text C:\WINDOWS\System32\svchost.exe[4060] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00DF0FD4

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 84E22369

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Joe McKain\Cookies\joe_mckain@doubleclick[1].txt 0 bytes
File C:\Documents and Settings\Joe McKain\Local Settings\Temporary Internet Files\Content.IE5\5Z3O163F\tm-icons[1].gif 0 bytes
File C:\Documents and Settings\Joe McKain\Local Settings\Temporary Internet Files\Content.IE5\5Z3O163F\index[1].gif 0 bytes
File C:\Documents and Settings\Joe McKain\Local Settings\Temporary Internet Files\Content.IE5\5Z3O163F\yahoo[1].gif 0 bytes
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:05 PM

Posted 28 November 2009 - 02:32 PM

As I am not familiar with reading the above logs, can you post the logs from Malwarebytes and SUPERantispyware?

#3 Joeymac

Joeymac
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 28 November 2009 - 03:42 PM

Here is the Malwarebytes'
Malwarebytes' Anti-Malware 1.41
Database version: 3250
Windows 5.1.2600 Service Pack 3

11/28/2009 11:30:21 AM
mbam-log-2009-11-28 (11-30-21).txt

Scan type: Full Scan (C:\|)
Objects scanned: 231866
Time elapsed: 1 hour(s), 18 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0L8V3GNI\pc[1].exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP1431\A0231413.dll (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pc.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.

Here is the Superantispyware log
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/26/2009 at 11:17 AM

Application Version : 4.31.1000

Core Rules Database Version : 4313
Trace Rules Database Version: 2177

Scan type : Complete Scan
Total Scan Time : 01:22:42

Memory items scanned : 519
Memory threats detected : 0
Registry items scanned : 6296
Registry threats detected : 21
File items scanned : 24719
File threats detected : 3

Adware.MovieLand/MediaPipe
HKCR\MPAgent.Agent
HKCR\MPAgent.Agent\CLSID
HKCR\MPAgent.Agent\CurVer
HKCR\MPAgent.Agent.1
HKCR\MPAgent.Agent.1\CLSID
HKCR\AppId\MPAgent.DLL
HKCR\AppId\MPAgent.DLL#AppID
HKCR\AMNotifier.HUBAWindow
HKCR\AMNotifier.HUBAWindow\CLSID
HKCR\AMNotifier.HUBAWindow\CurVer
HKCR\AMNotifier.HUBAWindow.1
HKCR\AMNotifier.HUBAWindow.1\CLSID

Adware.CamNotifier
HKU\S-1-5-21-1885967567-2234471581-2104096480-1007\Software\247Cams

Adware.180solutions/Seekmo
C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo Search Assistant\Seekmo Customer Support.url
C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo Search Assistant\Seekmo.com.url
C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo Search Assistant

Rogue.SafetyCenter
HKLM\SOFTWARE\SafetyCenter
HKLM\SOFTWARE\SafetyCenter#Affilate
HKLM\SOFTWARE\SafetyCenter#Exename
HKLM\SOFTWARE\SafetyCenter#Sound
HKLM\SOFTWARE\SafetyCenter#Startup
HKLM\SOFTWARE\SafetyCenter#New
HKLM\SOFTWARE\SafetyCenter#boot
HKLM\SOFTWARE\SafetyCenter#complete_scan

#4 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:05 PM

Posted 28 November 2009 - 03:44 PM

What symptoms of infection are you still having? Just the google redirects?

#5 Joeymac

Joeymac
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 28 November 2009 - 03:48 PM

Also appears to open a new window every now and then. Thanks

#6 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:05 PM

Posted 28 November 2009 - 04:11 PM

What window does it open? Could you get a screenshot of it?
  • Please download GooredFix and save it to your desktop
  • Double click GooredFix.exe to open it.
    • Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
    • A log will open which you can just close. The log file is named GooredLog.txt and is on your Desktop.
  • Please post the contents of GooredLog.txt in your next reply.
Note:Do not use Option 2 (Fix Goored) unless instructed to.

#7 Joeymac

Joeymac
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 28 November 2009 - 05:21 PM

If I run this a window pops up saying it will check for and remove infections. Says click yes or no. Where do i type in option 1

#8 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 AM

Posted 28 November 2009 - 05:25 PM

We need to check for rootkits using RootRepeal:

Please install RootRepeal

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K
Unzip that to your Desktop and then click RootRepeal.exe to open the scanner.

*Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the Report tab, then click the Scan button. Check all seven of the boxes.
* In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
* Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High


Note 2: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".
Computer Pro

#9 Joeymac

Joeymac
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 28 November 2009 - 07:04 PM

I am unable to run Rootrepeal. tried the options you suggested ..moving slider tab and tried to run in safe mode. i get a window saying initializing please wait. Then nothing. Any thing else I can run?

#10 Joeymac

Joeymac
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 29 November 2009 - 11:30 AM

Still no luck running Rootrepeal. Any other suggestions

#11 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:05 PM

Posted 29 November 2009 - 12:43 PM

Its been a while since I've run Gooredfix myself, it seems to have been updated. I would click "yes" then. As for root repeal, I have no experience with that program, so I would wait for Computer Pro to respond.

#12 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 AM

Posted 29 November 2009 - 03:43 PM

Ok, lets try another Anti-Rootkit:

Please download Sophos Anti-rootkit& save it to your desktop.
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Credits to DaChew
Be sure to print out and read the User Manualand Release Notes
Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
Make sure the following are checked:
o Running processes
o Windows Registry
o Local Hard Drives

Click Start scan.
Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
o Files tagged as Removable: No are not marked for removal and cannot be removed.
o Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
o Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
After reboot, a dialog box displays the files you selected for removal and the action taken.
Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
Disconnect from the Internet or physically unplug you Internet cable connection.
Clean out your temporary files.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
Computer Pro

#13 Joeymac

Joeymac
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 29 November 2009 - 07:38 PM

I ran the scan below. No obkjects were marked for removal. All said yes but not recommended for removal.

Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 11/29/2009 at 17:33:16 PM
User "Joe McKain" on computer "OFFICE"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Program Files\Google\Picasa3\Picasa3i18n.dll
Hidden: file C:\Documents and Settings\Joe McKain\Local Settings\Temporary Internet Files\Content.IE5\JY5PMI4N\ol;f=allergyasthma;sect=allergybasics;pageid=helpcontrol;!category=hvnet;!category=allergyasthma;dcopt=ist;pos=1;tile=1;sz=728x90;pm=1;ord=5557443954599577[1]
Hidden: file C:\Documents and Settings\Joe McKain\Local Settings\Temporary Internet Files\Content.IE5\JY5PMI4N\sics_helpcontrol;f=allergyasthma;sect=allergybasics;pageid=helpcontrol;!category=hvnet;!category=allergyasthma;pos=7;tile=7;sz=300x250;ord=5557443954599577[1]
Hidden: file C:\Documents and Settings\Joe McKain\Local Settings\Temporary Internet Files\Content.IE5\5Z3O163F\H6JZHI01COC352ML7LYS9IJ81&meta=&browsertoken=U&platformtoken=Win32&language=en-us&pagetitle=NeXplore%20-%20Search&referer=&screen=1024x768&localtime=12%3A2[1]
Hidden: file C:\Program Files\Comcast\Comcast PhotoShow 4\data\Xtras\AnyShape.x32
Hidden: file C:\Documents and Settings\Joe McKain\Local Settings\Temporary Internet Files\Content.IE5\CC3XOWW3\ics;net=ns;u=ns-67685877_1259427805,1155f8104601a3e,Miscellaneous,;;kw=;tile=1;ord1=733769;sz=300x250,336x280;contx=Miscellaneous;btg=;ord=1907095292827891[1]
Hidden: file C:\WINDOWS\system32\dllcache\shell32.dll
Hidden: file C:\Documents and Settings\Joe McKain\Local Settings\Temporary Internet Files\Content.IE5\9I3OGKW8\tom;net=ns;u=ns-57197668_1259427811,1155f8104601a3e,Miscellaneous,;;kw=;tile=2;ord1=757867;sz=300x250,336x280;contx=Miscellaneous;btg=;ord=1907095292827891[1]
Hidden: file C:\Documents and Settings\Joe McKain\Desktop\RootRepeal\RootRepeal.exe
Hidden: file C:\Documents and Settings\Joe McKain\Local Settings\Temporary Internet Files\Content.IE5\9I3OGKW8\DDa7cbDMyFIvJK7n0BpzMn1rmsN3r7qXAiw2Cev5d8qr_HPoTx9yhksGHlX7UoE3XqcbgiqPFGGI5EsAPUPQ3SCr8oTJ06S3c5RBxo1978HOkId1Zr2JDZC81f9xLs[1].nKl7CTEUGARaV2diphHfbCwqmFNQ-
Hidden: file C:\Documents and Settings\Joe McKain\Local Settings\Temporary Internet Files\Content.IE5\9I3OGKW8\qW0WeCTJh0P1ygx_np4qZw5qrWPJcqn_AYqjbAadbCsTf_Yv7r2.C_oOkFqhnIYvpkTwYqR2iy5SPcR5xOkyOx8hYmx1JGBbO1fclo_ueHRS8QdxXTAITs.3HswQIxUdA1aTWzqmkRwm9cxd37l33.nL[1].css
Hidden: file C:\Program Files\Hewlett-Packard\PhotoSmart\Update\bin\awt.dll
Hidden: file C:\Documents and Settings\Joe McKain\Local Settings\Temporary Internet Files\Content.IE5\JY5PMI4N\qavKGtaTBl1f6LmI_NoUFdyYQzuCdcacScBJRQ3G9w1eOJDvzR_6VnQfZAYCZj0RqIwoJ8I2qq3rpmEYeVofScNmW6lK0h4hbk8YhljZM5lyaTZch7DAqoGzfUSUnhsoWuaS3Pumvb15fzT_wlsHhw0[1].css
Hidden: file C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP1510\A0244052.exe
Hidden: file C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP1510\A0244136.exe
Hidden: file C:\ComboFix\pev.exe
Hidden: file C:\ComboFix\PEV.cfxxe
Hidden: file C:\Program Files\Google\GoogleToolbarNotifier\swg-5.4.4525.1752\SearchWithGoogleUpdate.exe
Hidden: file C:\WINDOWS\$NtUninstallKB918899$\shdocvw.dll
Hidden: file C:\Documents and Settings\Joe McKain\Desktop\dds.scr
Hidden: file C:\WINDOWS\ServicePackFiles\i386\wmvcore.dll
Hidden: file C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP1499\A0242756.rbf
Hidden: file C:\WINDOWS\$NtUninstallKB871250$\query.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
Hidden: file C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\ieapfltr.dat
Hidden: file C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP1430\A0230385.rbf
Hidden: file C:\Program Files\MediaServices\Allofmp3\Allofmp3.exe
Hidden: file C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data\694c07365e0fd6bba0bc304d4d2404a7\System.Data.ni.dll
Hidden: file C:\Documents and Settings\Brendan McKain\Local Settings\Temporary Internet Files\Content.IE5\YV201C2H\%253A%252F%252Fwww.aim.com%252Fredirects%252Finclient%252FAIM_UAC_v2[1].adp%253Fmagic%253D93236874%2526width%253D120%2526height%253D90%2526sn%253DgDaWG9801
Hidden: file C:\Documents and Settings\Brendan McKain\Local Settings\Temporary Internet Files\Content.IE5\BQP7N4SY\%253A%252F%252Fwww.aim.com%252Fredirects%252Finclient%252FAIM_UAC_v2[1].adp%253Fmagic%253D93236874%2526width%253D120%2526height%253D90%2526sn%253DgDaWG9801
Hidden: file C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP1481\A0240015.rbf
Hidden: file C:\Program Files\Click'N Design 3D (V5)\StompV2.dll
Hidden: file C:\Program Files\Google\GoogleToolbarNotifier\swg-5.3.4501.1418\SearchWithGoogleUpdate.exe
Hidden: file C:\Program Files\AIM6\services\toaster\ver5_2_2_1\toaster.dll
Hidden: file C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP1430\A0230367.exe
Hidden: file C:\Documents and Settings\Kathleen McKain\Local Settings\Temporary Internet Files\Content.IE5\KEDBLJYX\FeRAnnUHFWUFn52rAsUqQrTaFaSTnHQGBIRrInStvaWGr54UTpmtIt0qaw3tMCQsZbF56JFpWXpVWBhXFfcXFUjXaINRFJATUB0VdF1mF3xPU7y1TQm4TFa4ar4mqZbKYFfbWWJXyprwm60Sge[1].gif
Hidden: file C:\Documents and Settings\Kathleen McKain\Local Settings\Temporary Internet Files\Content.IE5\5ZI4BY9V\site%3Dmyspace%26position%3Dleaderboard%26params[1].styles%3Dleaderboard%26page%3D14000009%26rand%3D421853576%26acnt%3D1%26schoolpage%3D0,;ord=1187642705
Hidden: file C:\Documents and Settings\Kathleen McKain\Local Settings\Temporary Internet Files\Content.IE5\J53IL8HK\index.cfm%3Ffuseaction%3Duser[1].edittopfriends%26friendid%3D142764849%26username%3Denols%26mytoken%3Dcae3b03a-72ae-4232-8441-e89002f869c3,;ord=1187642722
Hidden: file C:\Program Files\Lavasoft\Ad-Aware\ToolBox\LT\ProcessWatch.exe
Stopped logging on 11/29/2009 at 19:19:08 PM

#14 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 AM

Posted 30 November 2009 - 05:02 PM

Nothing in your log is jumping out at me, so I am going to recommend that you post in the HJT forum:


It looks like we are going to have to use more powerful tools than what we are allowed to use in the Am I Infected forum. I am going to need for you to post a DDS/HijackThis Log in the HijackThis Log section of the forum.

Please refer to this for your preparation reasons before posting:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

You can find the forum here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

Once you have created a new topic in the HijackThis section, please post a link to it in this topic.
Please allow time for your topic to be replied to in the HijackThis section as the HJT Team is EXTREMELY busy posting logs before yours.

Good Luck!
Computer Pro

#15 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:05 PM

Posted 30 November 2009 - 07:23 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/275273/searches-being-redirected/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users