Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Searches being redirected


  • This topic is locked This topic is locked
17 replies to this topic

#1 Joeymac

Joeymac

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 30 November 2009 - 05:27 PM

Previous topic here: http://www.bleepingcomputer.com/forums/t/274615/google-searches-being-redirected/ ~ OB

Was referred from the AM I infected forum. My browser is being hijacked to various sites. I have run Super Anti Spyware, Malwarebytes, CC cleaner. AdAware but have not had any luck. I ran DDS and GMER and posting the logs. Any help in removal is greatly appreciated I was also directed to run


DDS (Ver_09-11-24.02) - NTFSx86
Run by Joe McKain at 16:41:16.93 on Fri 11/27/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.115 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\FreezeScreenSaver.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\System32\mshta.exe
C:\Documents and Settings\Joe McKain\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www6.comcast.net/a/
uLocal Page = \blank.htm
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {12723304-463C-4377-8FEE-FCAB14BF8083} - No File
BHO: {722D2939-A14A-41A9-9EAC-AB8F4E295819} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Advertising Cookie Opt-out: {8e425eb4-adbd-4816-b1e8-49bb9decf034} - c:\program files\google\advertising cookie opt-out\opt_out.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {40D41A8B-D79B-43D7-99A7-9EE0F344C385} - No File
TB: {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\comcast\comcas~1\data\xtras\mssysmgr.exe
uRun: [DelayShred] c:\progra~1\mcafee\mshr\shrcl.exe /p7 /q c:\docume~1\joemck~1\locals~1\temp\tempor~1\content.ie5\qh0nebcn.sh! c:\docume~1\joemck~1\locals~1\temp\tempor~1\content.ie5\odirc1u9.sh! c:\docume~1\joemck~1\locals~1\temp\tempor~1\content.ie5\khsz6luf.sh! c:\docume~1\joemck~1\locals~1\temp\tempor~1\content.ie5\01k1s72t.sh! c:\docume~1\joemck~1\locals~1\temp\tempor~1\content.sh! c:\docume~1\joemck~1\locals~1\temp\tempor~1.sh! c:\docume~1\joemck~1\locals~1\temp\tempor~1.sh!\content.sh!\qh0nebcn.sh! c:\docume~1\joemck~1\locals~1\temp\tempor~1.sh!\content.sh!\odirc1u9.sh! c:\docume~1\joemck~1\locals~1\temp\tempor~1.sh!\content.sh!\khsz6luf.sh! c:\docume~1\joemck~1\locals~1\temp\tempor~1.sh!\content.sh!\01k1s72t.sh! c:\docume~1\joemck~1\locals~1\temp\tempor~1.sh!\content.sh! c:\docume~1\joemck~1\locals~1\tempor~1\content.ie5\3a5a017i\ffffff~3.sh! c:\docume~1\joemck~1\locals~1\tempor~1\content.ie5\fctz7bbk\patrio~1.sh! c:\docume~1\joemck~1\locals~1\tempor~1\content.ie5\9azemh6f\ffffff~1.sh! c:\docume~1\joemck~1\locals~1\temp\svf3l.sh! c:\docume~1\joemck~1\locals~1\temp\hsperf~1.sh! c:\docume~1\joemck~1\locals~1\temp\google~1.sh! c:\docume~1\joemck~1\locals~1\temp\mproje~2.sh! c:\docume~1\joemck~1\locals~1\tempor~1\content.ie5\n5ldevg5\syncme~1.sh! c:\docume~1\joemck~1\locals~1\tempor~1\content.ie5\orp1gvq3\syncme~1.sh! c:\docume~1\joemck~1\locals~1\temp\tempor~1\content.ie5\x2nq3k0f.sh! c:\docume~1\joemck~1\locals~1\temp\tempor~1\content.ie5\ig3qoiqy.sh! c:\docume~1\joemck~1\locals~1\temp\history\history.sh! c:\docume~1\joemck~1\locals~1\temp\history.sh! c:\docume~1\joemck~1\locals~1\temp\cookies.sh! c:\docume~1\joemck~1\locals~1\tempor~1\content.ie5\ijfmxoxc\live_1~1.sh! c:\docume~1\joemck~1\locals~1\tempor~1\content.ie5\ww7qstl3\LPP_1_~1.SH!
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nForce Tray Options] sstray.exe /r
mRun: [CXMon] "c:\program files\hewlett-packard\photosmart\photo imaging\Hpi_Monitor.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\joemck~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office12\GROOVE.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\BigFix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\progra~1\aim\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-10 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R2 FreezeScreenSaver;FreezeScreenSaver;c:\windows\system32\FreezeScreenSaver.exe [2008-9-24 69632]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1184912]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
R4 PCTCore;PCTools KDS;c:\windows\system32\drivers\pctcore.sys --> c:\windows\system32\drivers\PCTCore.sys [?]
S2 0084471258602410mcinstcleanup;McAfee Application Installer Cleanup (0084471258602410);c:\windows\temp\008447~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\008447~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 gupdate1c9a35abd5c4136;Google Update Service (gupdate1c9a35abd5c4136);c:\program files\google\update\GoogleUpdate.exe [2009-3-12 133104]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2009-2-25 13088]

=============== Created Last 30 ================

2009-11-27 18:18:31 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-11-27 18:12:50 0 d-----w- c:\program files\common files\PC Tools
2009-11-27 18:12:48 0 d-----w- c:\program files\Spyware Doctor
2009-11-27 16:05:49 104703 -c--a-w- C:\MGlogs.zip
2009-11-27 16:05:17 0 dc----w- C:\MGtools
2009-11-27 16:02:23 0 dcs---w- C:\ComboFix
2009-11-26 14:48:33 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-11-26 14:47:40 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-26 14:47:40 0 d-----w- c:\docume~1\joemck~1\applic~1\SUPERAntiSpyware.com
2009-11-26 14:46:51 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-11-25 23:12:50 0 d-----w- c:\program files\CCleaner
2009-11-23 11:37:05 434 -c--a-w- C:\2.js
2009-11-18 02:24:44 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-13 23:25:29 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-10 23:23:00 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-10 22:24:03 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-29 23:07:20 0 dc----w- C:\users

==================== Find3M ====================

2009-11-27 13:52:27 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-30 19:44:51 356352 ----a-w- c:\windows\system32\pc.exe
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2006-09-07 01:14:28 21290704 ----a-w- c:\program files\AdbeRdr708_en_US.exe
2006-09-07 01:13:14 7050552 ----a-w- c:\program files\psa30se_en_us.exe
2006-09-07 01:12:49 762512 ----a-w- c:\program files\ytb612_efgsip.exe
2006-01-22 03:22:46 774144 ----a-w- c:\program files\RngInterstitial.dll
2003-11-21 20:13:48 5387 ----a-r- c:\program files\Setup.ini
2003-09-22 16:26:56 435 ----a-r- c:\program files\layout.bin
2003-09-22 16:26:56 108233 ----a-r- c:\program files\data2.cab
2003-09-22 16:26:54 47160 ----a-r- c:\program files\data1.hdr
2003-09-22 16:26:54 4635940 ----a-r- c:\program files\data1.cab
2003-09-22 16:26:46 211712 ----a-r- c:\program files\setup.inx
2001-09-05 08:24:02 344923 ----a-r- c:\program files\ikernel.ex_
2003-03-31 12:00:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12:07 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:11:56 1028096 --sha-w- c:\windows\system32\mfc42.dll
2008-04-14 00:12:01 57344 --sha-w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12:01 343040 --sha-w- c:\windows\system32\msvcrt.dll
2008-04-14 00:12:32 11776 --sh--w- c:\windows\system32\regsvr32.exe
2008-10-18 07:07:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101820081019\index.dat

============= FINISH: 16:44:45.73 ===============
GMER file
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-28 13:52:24
Windows 5.1.2600 Service Pack 3
Running: xp0urg27.exe; Driver: C:\DOCUME~1\JOEMCK~1\LOCALS~1\Temp\pwtdapod.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF755787E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7557BFE]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEB04A0B0]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEB36178A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEB361738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEB36174C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xEB361837]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xEB361863]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xEB3618D1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xEB3618BB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEB3617CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xEB3618FD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xEB36180D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEB361710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEB361724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEB36179E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xEB361939]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xEB36188F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEB361776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEB361762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEB3617F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xEB3618E7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEB3617E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEB3617B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 451 804E2AAD 3 Bytes [A0, 04, EB]
.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP EB3617B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568EE9 5 Bytes JMP EB361811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056A382 7 Bytes JMP EB361893 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056F600 5 Bytes JMP EB36178E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 80570441 5 Bytes JMP EB361766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 805732AD 7 Bytes JMP EB36193D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 805735A4 7 Bytes JMP EB3618D5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805741D0 5 Bytes JMP EB361714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 8057457F 7 Bytes JMP EB3617A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80578606 5 Bytes JMP EB3617E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80578A81 7 Bytes JMP EB3617CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 80581030 7 Bytes JMP EB361750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805836B0 5 Bytes JMP EB3617FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058B58D 5 Bytes JMP EB361728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 8058BA5D 5 Bytes JMP EB361901 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80590669 7 Bytes JMP EB3618BF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D50 7 Bytes JMP EB361867 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 805952BE 7 Bytes JMP EB36183B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP EB36173C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062DD47 5 Bytes JMP EB36177A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064DA6E 7 Bytes JMP EB3618EB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064E394 7 Bytes JMP EB3618A9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064E812 7 Bytes JMP EB361851 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064ED05 5 Bytes JMP EB361915 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064F16E 5 Bytes JMP EB361929 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
init C:\WINDOWS\system32\drivers\nvax.sys entry point in "init" section [0xF6CE4B8D]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 011F0FEF
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 011F0F33
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 011F0F44
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 011F0F6B
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 011F0F7C
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 011F0FA8
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011F0F18
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 011F0054
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011F00A0
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011F0F07
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 011F0EE2
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 011F0F8D
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 011F0FDE
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!CreatePipe 7C81D83F 1 Byte [E9]
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 011F0043
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 011F0014
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 011F0FC3
.text C:\Program Files\Messenger\msmsgs.exe[236] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 011F007B
.text C:\Program Files\Messenger\msmsgs.exe[236] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 011D0FD2
.text C:\Program Files\Messenger\msmsgs.exe[236] msvcrt.dll!system 77C293C7 5 Bytes JMP 011D005D
.text C:\Program Files\Messenger\msmsgs.exe[236] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 011D0027
.text C:\Program Files\Messenger\msmsgs.exe[236] msvcrt.dll!_open 77C2F566 5 Bytes JMP 011D000C
.text C:\Program Files\Messenger\msmsgs.exe[236] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 011D0042
.text C:\Program Files\Messenger\msmsgs.exe[236] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 011D0FEF
.text C:\Program Files\Messenger\msmsgs.exe[236] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 011E0FD4
.text C:\Program Files\Messenger\msmsgs.exe[236] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 011E0FA8
.text C:\Program Files\Messenger\msmsgs.exe[236] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 011E0025
.text C:\Program Files\Messenger\msmsgs.exe[236] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 011E0FEF
.text C:\Program Files\Messenger\msmsgs.exe[236] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 011E0065
.text C:\Program Files\Messenger\msmsgs.exe[236] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 011E000A
.text C:\Program Files\Messenger\msmsgs.exe[236] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 011E004A
.text C:\Program Files\Messenger\msmsgs.exe[236] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 011E0FC3
.text C:\Program Files\Messenger\msmsgs.exe[236] WS2_32.dll!socket 71AB4211 5 Bytes JMP 011C0FE5
.text C:\Program Files\Messenger\msmsgs.exe[236] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 011B0000
.text C:\Program Files\Messenger\msmsgs.exe[236] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 011B0FEF
.text C:\Program Files\Messenger\msmsgs.exe[236] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 011B0025
.text C:\Program Files\Messenger\msmsgs.exe[236] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 011B0FD4
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C10000
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C1006C
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C10F77
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C10F88
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C10FA5
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C10036
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C10F4B
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C10F5C
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C100C2
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C10F29
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C10F0E
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C10051
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C10FE5
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C10087
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C10FD4
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C10025
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C10F3A
.text C:\WINDOWS\System32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C00FB9
.text C:\WINDOWS\System32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C00051
.text C:\WINDOWS\System32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C0000A
.text C:\WINDOWS\System32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C00FDE
.text C:\WINDOWS\System32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C00F9E
.text C:\WINDOWS\System32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\System32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C00040
.text C:\WINDOWS\System32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C00025
.text C:\WINDOWS\System32\svchost.exe[448] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BF0058
.text C:\WINDOWS\System32\svchost.exe[448] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BF0FCD
.text C:\WINDOWS\System32\svchost.exe[448] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BF0022
.text C:\WINDOWS\System32\svchost.exe[448] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\System32\svchost.exe[448] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BF003D
.text C:\WINDOWS\System32\svchost.exe[448] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BF0FDE
.text C:\WINDOWS\System32\svchost.exe[448] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\System32\svchost.exe[448] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\System32\svchost.exe[448] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 001B0FC3
.text C:\WINDOWS\System32\svchost.exe[448] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 001B001E
.text C:\WINDOWS\System32\svchost.exe[448] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FD000A
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FD00AE
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FD0093
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FD0082
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FD0065
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FD0FC3
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FD0F77
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FD0F94
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FD0F4B
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FD00DA
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FD00FF
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FD004A
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FD001B
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FD00BF
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FD0FD4
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\system32\services.exe[744] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FD0F5C
.text C:\WINDOWS\system32\services.exe[744] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070FC0
.text C:\WINDOWS\system32\services.exe[744] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070F7C
.text C:\WINDOWS\system32\services.exe[744] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070011
.text C:\WINDOWS\system32\services.exe[744] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[744] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070F8D
.text C:\WINDOWS\system32\services.exe[744] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[744] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00070F9E
.text C:\WINDOWS\system32\services.exe[744] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [27, 88]
.text C:\WINDOWS\system32\services.exe[744] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070FAF
.text C:\WINDOWS\system32\services.exe[744] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060FA5
.text C:\WINDOWS\system32\services.exe[744] msvcrt.dll!system 77C293C7 5 Bytes JMP 0006003A
.text C:\WINDOWS\system32\services.exe[744] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060FDE
.text C:\WINDOWS\system32\services.exe[744] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[744] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060029
.text C:\WINDOWS\system32\services.exe[744] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[744] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\services.exe[744] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00040011
.text C:\WINDOWS\system32\services.exe[744] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\services.exe[744] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 0004002C
.text C:\WINDOWS\system32\services.exe[744] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D70000
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D70F81
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D7006C
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D7005B
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D70FA8
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D70FC3
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D70F4B
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D70087
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D700C2
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D70F1F
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D70F04
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D7004A
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D7001B
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D70F5C
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D70FD4
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D70FE5
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D70F3A
.text C:\WINDOWS\system32\lsass.exe[756] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D60F9E
.text C:\WINDOWS\system32\lsass.exe[756] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D6003D
.text C:\WINDOWS\system32\lsass.exe[756] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D60FB9
.text C:\WINDOWS\system32\lsass.exe[756] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D60FD4
.text C:\WINDOWS\system32\lsass.exe[756] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D6002C
.text C:\WINDOWS\system32\lsass.exe[756] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D60FE5
.text C:\WINDOWS\system32\lsass.exe[756] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D6001B
.text C:\WINDOWS\system32\lsass.exe[756] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D6000A
.text C:\WINDOWS\system32\lsass.exe[756] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D50070
.text C:\WINDOWS\system32\lsass.exe[756] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D5005F
.text C:\WINDOWS\system32\lsass.exe[756] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D50029
.text C:\WINDOWS\system32\lsass.exe[756] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D50000
.text C:\WINDOWS\system32\lsass.exe[756] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D50044
.text C:\WINDOWS\system32\lsass.exe[756] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D50FEF
.text C:\WINDOWS\system32\lsass.exe[756] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D4000A
.text C:\WINDOWS\system32\lsass.exe[756] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 0094000A
.text C:\WINDOWS\system32\lsass.exe[756] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 0094001B
.text C:\WINDOWS\system32\lsass.exe[756] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 0094002C
.text C:\WINDOWS\system32\lsass.exe[756] WININET.dll!InternetOpenUrlW 3D998439 1 Byte [E9]
.text C:\WINDOWS\system32\lsass.exe[756] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 0094003D
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0265000A
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02650F6B
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02650F7C
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02650056
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02650F8D
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02650FC3
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02650F3F
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02650087
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 026500BD
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02650F24
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02650F09
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02650FA8
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02650FEF
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02650F50
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0265002F
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02650FDE
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 026500A2
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0264002C
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0264006C
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0264001B
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0264000A
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02640051
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02640FE5
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02640FB9
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [84, 8A]
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02640FCA
.text C:\WINDOWS\system32\svchost.exe[928] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02630049
.text C:\WINDOWS\system32\svchost.exe[928] msvcrt.dll!system 77C293C7 5 Bytes JMP 02630FC8
.text C:\WINDOWS\system32\svchost.exe[928] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02630027
.text C:\WINDOWS\system32\svchost.exe[928] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02630FEF
.text C:\WINDOWS\system32\svchost.exe[928] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02630038
.text C:\WINDOWS\system32\svchost.exe[928] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0263000C
.text C:\WINDOWS\system32\svchost.exe[928] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 02610000
.text C:\WINDOWS\system32\svchost.exe[928] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 02610011
.text C:\WINDOWS\system32\svchost.exe[928] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 02610022
.text C:\WINDOWS\system32\svchost.exe[928] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 02610033
.text C:\WINDOWS\system32\svchost.exe[928] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02620000
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01200FE5
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01200F77
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01200F88
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0120006C
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0120005B
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0120002C
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 012000B3
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 012000A2
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 012000DF
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01200F50
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01200F2B
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01200FAF
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01200000
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01200091
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0120001B
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01200FCA
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 012000CE
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 011F0FAF
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 011F0F79
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 011F0000
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 011F0FD4
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 011F0036
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 011F0FE5
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 011F0025
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 011F0F94
.text C:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 011E0FCF
.text C:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!system 77C293C7 5 Bytes JMP 011E005A
.text C:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 011E002E
.text C:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!_open 77C2F566 5 Bytes JMP 011E0000
.text C:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 011E003F
.text C:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 011E001D
.text C:\WINDOWS\system32\svchost.exe[996] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\svchost.exe[996] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00FF0FDE
.text C:\WINDOWS\system32\svchost.exe[996] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00FF0014
.text C:\WINDOWS\system32\svchost.exe[996] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00FF0025
.text C:\WINDOWS\system32\svchost.exe[996] WS2_32.dll!socket 71AB4211 5 Bytes JMP 011D0000
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 025B0FEF
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 025B0093
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 025B0F94
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 025B0078
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 025B0FAF
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 025B0036
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 025B00B5
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 025B00A4
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 025B00F5
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 025B0F52
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 025B0F41
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 025B0047
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 025B000A
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 025B0F83
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 025B0FCA
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 025B001B
.text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 025B00D0
.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 023F0FAF
.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 023F0F83
.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 023F0FCA
.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 023F0000
.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 023F0040
.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 023F0FE5
.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 023F0025
.text C:\WINDOWS\System32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 023F0F9E
.text C:\WINDOWS\System32\svchost.exe[1092] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 023E0F75
.text C:\WINDOWS\System32\svchost.exe[1092] msvcrt.dll!system 77C293C7 5 Bytes JMP 023E000A
.text C:\WINDOWS\System32\svchost.exe[1092] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 023E0FB5
.text C:\WINDOWS\System32\svchost.exe[1092] msvcrt.dll!_open 77C2F566 5 Bytes JMP 023E0FEF
.text C:\WINDOWS\System32\svchost.exe[1092] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 023E0F9A
.text C:\WINDOWS\System32\svchost.exe[1092] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 023E0FD2
.text C:\WINDOWS\System32\svchost.exe[1092] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 02020000
.text C:\WINDOWS\System32\svchost.exe[1092] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 02020011
.text C:\WINDOWS\System32\svchost.exe[1092] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 02020022
.text C:\WINDOWS\System32\svchost.exe[1092] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 02020FD1
.text C:\WINDOWS\System32\svchost.exe[1092] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02030000
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AA0000
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AA0086
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AA0F91
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AA0075
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AA0058
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AA0FB6
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AA0F6C
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AA00A8
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AA00F1
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AA00D6
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AA0F3D
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AA003D
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AA0FDB
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AA0097
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AA0022
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AA0011
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AA00C5
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A9000A
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A90F72
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A90FB9
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A90FDE
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A90F83
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A90FEF
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A90F9E
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C9, 88]
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A9001B
.text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A80FD4
.text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A80FEF
.text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A8003A
.text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A80000
.text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A8005F
.text C:\WINDOWS\System32\svchost.exe[1204] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A80029
.text C:\WINDOWS\System32\svchost.exe[1204] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00A60FEF
.text C:\WINDOWS\System32\svchost.exe[1204] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00A6000A
.text C:\WINDOWS\System32\svchost.exe[1204] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00A60FDE
.text C:\WINDOWS\System32\svchost.exe[1204] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00A6002F
.text C:\WINDOWS\System32\svchost.exe[1204] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A70000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00270FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00270F7E
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00270073
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00270062
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00270051
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00270025
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 002700BC
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 002700AB
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00270F59
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 002700F2
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0027010D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00270036
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00270FD4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0027008E
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00270014
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00270FC3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 002700E1
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00360FB2
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00360F61
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00360FC3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00360FDE
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00360F7C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00360FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0036001E
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00360F97
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E351FF7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E351FBC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351F04 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351F3E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352032 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00370F9C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] msvcrt.dll!system 77C293C7 5 Bytes JMP 00370FAD
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00370FE3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0037000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00370FD2
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0037001D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3521F4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00A7000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00A70FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00A70FD4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00A70FC3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1260] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00260FE5
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CA0089
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CA0078
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CA0067
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CA004A
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CA0FB9
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CA00C6
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CA00AB
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CA0106
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CA0F63
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CA0121
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CA0FA8
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CA000A
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CA009A
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CA002F
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CA0FD4
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CA00E1
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C90051
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C90FC0
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C90040
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C90025
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C9007D
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C9000A
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C9006C
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\System32\svchost.exe[1480] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C80049
.text C:\WINDOWS\System32\svchost.exe[1480] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C8002E
.text C:\WINDOWS\System32\svchost.exe[1480] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C8001D
.text C:\WINDOWS\System32\svchost.exe[1480] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C80FE3
.text C:\WINDOWS\System32\svchost.exe[1480] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C80FC8
.text C:\WINDOWS\System32\svchost.exe[1480] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C80000
.text C:\WINDOWS\System32\svchost.exe[1480] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00C60000
.text C:\WINDOWS\System32\svchost.exe[1480] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00C60FE5
.text C:\WINDOWS\System32\svchost.exe[1480] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00C60011
.text C:\WINDOWS\System32\svchost.exe[1480] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00C60FC0
.text C:\WINDOWS\System32\svchost.exe[1480] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C7000A
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02170FEF
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 021700A7
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02170096
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0217007B
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02170FB2
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02170FC3
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02170F69
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02170F86
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 021700DD
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 021700CC
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 021700EE
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02170054
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02170000
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02170F97
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02170025
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02170FD4
.text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02170F4E
.text C:\WINDOWS\Explorer.EXE[1492] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 020E0FC3
.text C:\WINDOWS\Explorer.EXE[1492] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 020E004A
.text C:\WINDOWS\Explorer.EXE[1492] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 020E001E
.text C:\WINDOWS\Explorer.EXE[1492] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 020E0FDE
.text C:\WINDOWS\Explorer.EXE[1492] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 020E0F8D
.text C:\WINDOWS\Explorer.EXE[1492] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 020E0FEF
.text C:\WINDOWS\Explorer.EXE[1492] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 020E0039
.text C:\WINDOWS\Explorer.EXE[1492] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 020E0FB2
.text C:\WINDOWS\Explorer.EXE[1492] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 020D0070
.text C:\WINDOWS\Explorer.EXE[1492] msvcrt.dll!system 77C293C7 5 Bytes JMP 020D0055
.text C:\WINDOWS\Explorer.EXE[1492] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 020D0FEF
.text C:\WINDOWS\Explorer.EXE[1492] msvcrt.dll!_open 77C2F566 5 Bytes JMP 020D0000
.text C:\WINDOWS\Explorer.EXE[1492] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 020D0044
.text C:\WINDOWS\Explorer.EXE[1492] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 020D0029
.text C:\WINDOWS\Explorer.EXE[1492] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 01320000
.text C:\WINDOWS\Explorer.EXE[1492] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 01320011
.text C:\WINDOWS\Explorer.EXE[1492] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 01320FE5
.text C:\WINDOWS\Explorer.EXE[1492] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 01320036
.text C:\WINDOWS\Explorer.EXE[1492] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01C90FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[3552] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[3552] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E20000
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E20F5E
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E20F79
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E20F94
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E20051
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E20036
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E20089
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E20F43
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E20F04
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E20F15
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E200C2
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E20FAF
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E20FDB
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E2006E
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E20FCA
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E20011
.text C:\WINDOWS\System32\svchost.exe[4060] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E20F26
.text C:\WINDOWS\System32\svchost.exe[4060] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E1002C
.text C:\WINDOWS\System32\svchost.exe[4060] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E10069
.text C:\WINDOWS\System32\svchost.exe[4060] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E1001B
.text C:\WINDOWS\System32\svchost.exe[4060] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E10FE5
.text C:\WINDOWS\System32\svchost.exe[4060] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E10058
.text C:\WINDOWS\System32\svchost.exe[4060] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E10000
.text C:\WINDOWS\System32\svchost.exe[4060] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E1003D
.text C:\WINDOWS\System32\svchost.exe[4060] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E10FB6
.text C:\WINDOWS\System32\svchost.exe[4060] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E00038
.text C:\WINDOWS\System32\svchost.exe[4060] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E00FAD
.text C:\WINDOWS\System32\svchost.exe[4060] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E0001D
.text C:\WINDOWS\System32\svchost.exe[4060] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E00FEF
.text C:\WINDOWS\System32\svchost.exe[4060] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E00FBE
.text C:\WINDOWS\System32\svchost.exe[4060] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E0000C
.text C:\WINDOWS\System32\svchost.exe[4060] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00DF0FEF
.text C:\WINDOWS\System32\svchost.exe[4060] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00DF000A
.text C:\WINDOWS\System32\svchost.exe[4060] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00DF0025
.text C:\WINDOWS\System32\svchost.exe[4060] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00DF0FD4

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 84E22369

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Joe McKain\Cookies\joe_mckain@doubleclick[1].txt 0 bytes
File C:\Documents and Settings\Joe McKain\Local Settings\Temporary Internet Files\Content.IE5\5Z3O163F\tm-icons[1].gif 0 bytes
File C:\Documents and Settings\Joe McKain\Local Settings\Temporary Internet Files\Content.IE5\5Z3O163F\index[1].gif 0 bytes
File C:\Documents and Settings\Joe McKain\Local Settings\Temporary Internet Files\Content.IE5\5Z3O163F\yahoo[1].gif 0 bytes
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----
SOPO's Anti Root kit

Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 11/29/2009 at 17:33:16 PM
User "Joe McKain" on computer "OFFICE"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Program Files\Google\Picasa3\Picasa3i18n.dll
Hidden: file C:\Documents and Settings\Joe McKain\Local Settings\Temporary Internet Files\Content.IE5\JY5PMI4N\ol;f=allergyasthma;sect=allergybasics;pageid=helpcontrol;!category=hvnet;!category=allergyasthma;dcopt=ist;pos=1;tile=1;sz=728x90;pm=1;ord=55574439545
99577[1]
Hidden: file C:\Documents and Settings\Joe McKain\Local Settings\Temporary Internet Files\Content.IE5\JY5PMI4N\sics_helpcontrol;f=allergyasthma;sect=allergybasics;pageid=helpcontrol;!category=hvnet;!category=allergyasthma;pos=7;tile=7;sz=300x250;ord=5557443954599577[1]
Hidden: file C:\Documents and Settings\Joe McKain\Local Settings\Temporary Internet Files\Content.IE5\5Z3O163F\H6JZHI01COC352ML7LYS9IJ81&meta=&browsertoken=U&platformtoken=Win32&language=en-us&pagetitle=NeXplore%20-%20Search&referer=&screen=1024x768&localtime=12%3A2[1]
Hidden: file C:\Program Files\Comcast\Comcast PhotoShow 4\data\Xtras\AnyShape.x32
Hidden: file C:\Documents and Settings\Joe McKain\Local Settings\Temporary Internet Files\Content.IE5\CC3XOWW3\ics;net=ns;u=ns-67685877_1259427805,1155f8104601a3e,Miscellaneous,;;kw=;tile=1;ord1=733769;sz=30
0x250,336x280;contx=Miscellaneous;btg=;ord=1907095292827891[1]
Hidden: file C:\WINDOWS\system32\dllcache\shell32.dll
Hidden: file C:\Documents and Settings\Joe McKain\Local Settings\Temporary Internet Files\Content.IE5\9I3OGKW8\tom;net=ns;u=ns-57197668_1259427811,1155f8104601a3e,Miscellaneous,;;kw=;tile=2;ord1=757867;sz=30
0x250,336x280;contx=Miscellaneous;btg=;ord=1907095292827891[1]
Hidden: file C:\Documents and Settings\Joe McKain\Desktop\RootRepeal\RootRepeal.exe
Hidden: file C:\Documents and Settings\Joe McKain\Local Settings\Temporary Internet Files\Content.IE5\9I3OGKW8\DDa7cbDMyFIvJK7n0BpzMn1rmsN3r7qXAiw2Cev5d8qr_HPoTx9yhksGHlX7UoE3XqcbgiqPFGG
I5EsAPUPQ3SCr8oTJ06S3c5RBxo1978HOkId1Zr2JDZC81f9xLs[1].nKl7CTEUGARaV2diphHfbCwqm
FNQ-
Hidden: file C:\Documents and Settings\Joe McKain\Local Settings\Temporary Internet Files\Content.IE5\9I3OGKW8\qW0WeCTJh0P1ygx_np4qZw5qrWPJcqn_AYqjbAadbCsTf_Yv7r2.C_oOkFqhnIYvpkTwYqR2iy5
SPcR5xOkyOx8hYmx1JGBbO1fclo_ueHRS8QdxXTAITs.3HswQIxUdA1aTWzqmkRwm9cxd37l33.nL[1]
.css
Hidden: file C:\Program Files\Hewlett-Packard\PhotoSmart\Update\bin\awt.dll
Hidden: file C:\Documents and Settings\Joe McKain\Local Settings\Temporary Internet Files\Content.IE5\JY5PMI4N\qavKGtaTBl1f6LmI_NoUFdyYQzuCdcacScBJRQ3G9w1eOJDvzR_6VnQfZAYCZj0RqIwoJ8I2qq3
rpmEYeVofScNmW6lK0h4hbk8YhljZM5lyaTZch7DAqoGzfUSUnhsoWuaS3Pumvb15fzT_wlsHhw0[1].
css
Hidden: file C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP1510\A0244052.exe
Hidden: file C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP1510\A0244136.exe
Hidden: file C:\ComboFix\pev.exe
Hidden: file C:\ComboFix\PEV.cfxxe
Hidden: file C:\Program Files\Google\GoogleToolbarNotifier\swg-5.4.4525.1752\SearchWithGoogleUpdate.exe
Hidden: file C:\WINDOWS\$NtUninstallKB918899$\shdocvw.dll
Hidden: file C:\Documents and Settings\Joe McKain\Desktop\dds.scr
Hidden: file C:\WINDOWS\ServicePackFiles\i386\wmvcore.dll
Hidden: file C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP1499\A0242756.rbf
Hidden: file C:\WINDOWS\$NtUninstallKB871250$\query.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
Hidden: file C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\ieapfltr.dat
Hidden: file C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP1430\A0230385.rbf
Hidden: file C:\Program Files\MediaServices\Allofmp3\Allofmp3.exe
Hidden: file C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data\694c07365e0fd6bba0bc304d4d2404a7\System.Data.ni.dll
Hidden: file C:\Documents and Settings\Brendan McKain\Local Settings\Temporary Internet Files\Content.IE5\YV201C2H\%253A%252F%252Fwww.aim.com%252Fredirects%252Finclient%252FAIM_UAC_v2[1].adp%253Fmagic%253D93236874%2526width%253D120%2526height%253D90%2526sn%253DgDaWG9801
Hidden: file C:\Documents and Settings\Brendan McKain\Local Settings\Temporary Internet Files\Content.IE5\BQP7N4SY\%253A%252F%252Fwww.aim.com%252Fredirects%252Finclient%252FAIM_UAC_v2[1].adp%253Fmagic%253D93236874%2526width%253D120%2526height%253D90%2526sn%253DgDaWG9801
Hidden: file C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP1481\A0240015.rbf
Hidden: file C:\Program Files\Click'N Design 3D (V5)\StompV2.dll
Hidden: file C:\Program Files\Google\GoogleToolbarNotifier\swg-5.3.4501.1418\SearchWithGoogleUpdate.exe
Hidden: file C:\Program Files\AIM6\services\toaster\ver5_2_2_1\toaster.dll
Hidden: file C:\System Volume Information\_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP1430\A0230367.exe
Hidden: file C:\Documents and Settings\Kathleen McKain\Local Settings\Temporary Internet Files\Content.IE5\KEDBLJYX\FeRAnnUHFWUFn52rAsUqQrTaFaSTnHQGBIRrInStvaWGr54UTpmtIt0qaw3tMCQsZbF56JFpWXp
VWBhXFfcXFUjXaINRFJATUB0VdF1mF3xPU7y1TQm4TFa4ar4mqZbKYFfbWWJXyprwm60Sge[1].gif
Hidden: file C:\Documents and Settings\Kathleen McKain\Local Settings\Temporary Internet Files\Content.IE5\5ZI4BY9V\site%3Dmyspace%26position%3Dleaderboard%26params[1].styles%3Dleaderboard%26page%3D14000009%26rand%3D421853576%26acnt%3D1%26schoolpage%3D0,;ord=1187642705
Hidden: file C:\Documents and Settings\Kathleen McKain\Local Settings\Temporary Internet Files\Content.IE5\J53IL8HK\index.cfm%3Ffuseaction%3Duser[1].edittopfriends%26friendid%3D142764849%26username%3Denols%26mytoken%3Dcae3b03a-72ae-4232-8441-e89002f869c3,;ord=1187642722
Hidden: file C:\Program Files\Lavasoft\Ad-Aware\ToolBox\LT\ProcessWatch.exe
Stopped logging on 11/29/2009 at 19:19:08 PM

Edited by Orange Blossom, 30 November 2009 - 07:24 PM.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:41 PM

Posted 30 November 2009 - 08:11 PM

Hi, Joeymac :(

Welcome.

Please read and follow all these instructions very carefully.

Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

=====================================================================


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply.
  • Install the Recovery Console upon request.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

+++++++++++++++++++++++++++++++++++++++


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    atapi.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 Joeymac

Joeymac
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 01 December 2009 - 03:57 PM

Cannot download combofix from the links. MCAFEE returns this message.

About this Trojan
Detected: Artemis!402D091E91D3 (Trojan), Artemis!402D091E91D3 (Trojan)
Location: C:\Documents and Settings\Joe McKain\Local Settings\Temporary Internet Files\Content.IE5\1I4DOZD3\ComboFix[1].exe

Trojans appear as legitimate programs but can damage valuable files, disrupt performance, and allow unauthorized access to your computer.

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:41 PM

Posted 01 December 2009 - 05:26 PM

Cannot download combofix from the links. MCAFEE returns this message.

About this Trojan
Detected: Artemis!402D091E91D3 (Trojan), Artemis!402D091E91D3 (Trojan)
Location: C:\Documents and Settings\Joe McKain\Local Settings\Temporary Internet Files\Content.IE5\1I4DOZD3\ComboFix[1].exe

Trojans appear as legitimate programs but can damage valuable files, disrupt performance, and allow unauthorized access to your computer.

Disable McAfee and instead of downloading to a temp folder, download to the desktop.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 Joeymac

Joeymac
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 01 December 2009 - 06:54 PM

Ran Combo fix. It detected something called EI/CAR I believe. After it completed and rebooted. It was preparing a log and my power in my house went of for 10 minutes. Never got a log ince the computer went off. Do I need to rerun. Thanks

#6 Joeymac

Joeymac
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 01 December 2009 - 07:01 PM

Here are the 2 files from systemlook and Malwarebytes

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 18:55 on 01/12/2009 by Joe McKain (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [21:33 17/10/2008] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [05:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\dllcache\atapi.sys --a--c 96512 bytes [21:45 12/05/2004] [20:13 30/11/2009] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a--c 96512 bytes [21:45 12/05/2004] [20:13 30/11/2009] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys --a--- 86912 bytes [18:22 08/05/2004] [19:00 31/03/2003] 95B858761A00E1D4F81F79A0DA019ACA

-=End Of File=-

Malwarebytes' Anti-Malware 1.41
Database version: 3268
Windows 5.1.2600 Service Pack 3

12/1/2009 3:52:21 PM
mbam-log-2009-12-01 (15-52-21).txt

Scan type: Quick Scan
Objects scanned: 138111
Time elapsed: 14 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:41 PM

Posted 01 December 2009 - 07:37 PM

Hi, Joeymac :(

It is very unfortunate we can't see a Combofix report.

Please open a command window (Start -> Run, type CMD and click OK). At the prompt type the following lines (one by one) and press Enter after each line:

Ren C:\WINDOWS\system32\dllcache\atapi.sys atapi.sys.vir
Copy /y C:\WINDOWS\ServicePackFiles\i386\atapi.sys C:\WINDOWS\system32\dllcache
Copy /y C:\WINDOWS\ServicePackFiles\i386\atapi.sys C:\
Exit


On the second and third command a message will be returned, 1 file copied. This is important as if the message is not returned the next set of instructions will fail.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Files to move:
C:\atapi.sys | C:\WINDOWS\System32\Drivers\atapi.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh DDS log .

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 Joeymac

Joeymac
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 01 December 2009 - 08:03 PM

Here are the 2 logs that were created

DDS (Ver_09-11-24.02) - NTFSx86
Run by Joe McKain at 19:57:24.59 on Tue 12/01/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.93 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Program Files\Microsoft Office\Office12\GROOVE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Joe McKain\Desktop\Virus\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www6.comcast.net/a/
uLocal Page = \blank.htm
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Advertising Cookie Opt-out: {8e425eb4-adbd-4816-b1e8-49bb9decf034} - c:\program files\google\advertising cookie opt-out\opt_out.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {40D41A8B-D79B-43D7-99A7-9EE0F344C385} - No File
TB: {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\comcast\comcas~1\data\xtras\mssysmgr.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nForce Tray Options] sstray.exe /r
mRun: [CXMon] "c:\program files\hewlett-packard\photosmart\photo imaging\Hpi_Monitor.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\joemck~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office12\GROOVE.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\BigFix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\progra~1\aim\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-10 64288]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2009-2-25 13088]
S2 0084471258602410mcinstcleanup;McAfee Application Installer Cleanup (0084471258602410);c:\windows\temp\008447~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\008447~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 gupdate1c9a35abd5c4136;Google Update Service (gupdate1c9a35abd5c4136);c:\program files\google\update\GoogleUpdate.exe [2009-3-12 133104]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1184912]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5c.tmp --> c:\windows\system32\5C.tmp [?]

=============== Created Last 30 ================

2009-12-02 00:43:30 574 -c--a-w- C:\cleanup.bat
2009-12-02 00:43:30 135168 -c--a-w- C:\zip.exe
2009-12-01 22:47:31 0 dcsha-r- C:\cmdcons
2009-12-01 22:44:10 98816 ----a-w- c:\windows\sed.exe
2009-12-01 22:44:10 77312 ----a-w- c:\windows\MBR.exe
2009-12-01 22:44:10 260608 ----a-w- c:\windows\PEV.exe
2009-12-01 22:44:10 161792 ----a-w- c:\windows\SWREG.exe
2009-12-01 22:43:32 0 dc----w- C:\ComboFix
2009-12-01 20:34:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-01 20:34:11 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-01 20:34:06 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-29 22:32:50 0 d-----w- c:\program files\Sophos
2009-11-27 16:05:49 104703 -c--a-w- C:\MGlogs.zip
2009-11-27 16:05:17 0 dc----w- C:\MGtools
2009-11-26 14:48:33 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-11-26 14:47:40 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-26 14:47:40 0 d-----w- c:\docume~1\joemck~1\applic~1\SUPERAntiSpyware.com
2009-11-25 23:12:50 0 d-----w- c:\program files\CCleaner
2009-11-23 11:37:05 434 -c--a-w- C:\2.js
2009-11-18 02:24:44 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-13 23:25:29 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-10 23:23:00 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-10 22:24:03 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}

==================== Find3M ====================

2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2006-09-07 01:14:28 21290704 ----a-w- c:\program files\AdbeRdr708_en_US.exe
2006-09-07 01:13:14 7050552 ----a-w- c:\program files\psa30se_en_us.exe
2006-09-07 01:12:49 762512 ----a-w- c:\program files\ytb612_efgsip.exe
2006-01-22 03:22:46 774144 ----a-w- c:\program files\RngInterstitial.dll
2003-11-21 20:13:48 5387 ----a-r- c:\program files\Setup.ini
2003-09-22 16:26:56 435 ----a-r- c:\program files\layout.bin
2003-09-22 16:26:56 108233 ----a-r- c:\program files\data2.cab
2003-09-22 16:26:54 47160 ----a-r- c:\program files\data1.hdr
2003-09-22 16:26:54 4635940 ----a-r- c:\program files\data1.cab
2003-09-22 16:26:46 211712 ----a-r- c:\program files\setup.inx
2001-09-05 08:24:02 344923 ----a-r- c:\program files\ikernel.ex_
2003-03-31 12:00:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12:07 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:11:56 1028096 --sha-w- c:\windows\system32\mfc42.dll
2008-04-14 00:12:01 57344 --sha-w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12:01 343040 --sha-w- c:\windows\system32\msvcrt.dll
2008-04-14 00:12:32 11776 --sh--w- c:\windows\system32\regsvr32.exe
2008-10-18 07:07:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101820081019\index.dat

============= FINISH: 19:59:25.81 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-11-24.02)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 6/21/2004 6:13:38 PM
System Uptime: 12/1/2009 7:45:11 PM (0 hours ago)

Motherboard: First International Computer, Inc. | | AU31
Processor: AMD Athlon™ XP 2800+ | Socket A | 2088/166mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 26.437 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1419: 9/3/2009 2:26:05 PM - System Checkpoint
RP1420: 9/4/2009 3:58:39 PM - System Checkpoint
RP1421: 9/5/2009 11:59:48 PM - System Checkpoint
RP1422: 9/7/2009 2:54:00 AM - System Checkpoint
RP1423: 9/8/2009 10:55:05 AM - System Checkpoint
RP1424: 9/8/2009 8:05:20 PM - Installed McAfee Virtual Technician
RP1425: 9/10/2009 12:42:31 AM - System Checkpoint
RP1426: 9/10/2009 3:00:32 AM - Software Distribution Service 3.0
RP1427: 9/11/2009 8:29:25 AM - System Checkpoint
RP1428: 9/12/2009 4:42:25 PM - System Checkpoint
RP1429: 9/13/2009 5:05:50 PM - System Checkpoint
RP1430: 9/15/2009 12:29:19 AM - System Checkpoint
RP1431: 9/16/2009 4:39:04 AM - System Checkpoint
RP1432: 9/17/2009 11:51:48 AM - System Checkpoint
RP1433: 9/18/2009 7:05:31 PM - System Checkpoint
RP1434: 9/20/2009 2:30:11 AM - System Checkpoint
RP1435: 9/21/2009 2:55:08 AM - System Checkpoint
RP1436: 9/22/2009 4:05:54 PM - System Checkpoint
RP1437: 9/22/2009 4:52:26 PM - System Checkpoint
RP1438: 9/24/2009 12:23:06 AM - System Checkpoint
RP1439: 9/25/2009 8:23:04 AM - System Checkpoint
RP1440: 9/26/2009 4:02:48 PM - System Checkpoint
RP1441: 9/27/2009 4:03:57 PM - System Checkpoint
RP1442: 9/29/2009 12:02:49 AM - System Checkpoint
RP1443: 9/29/2009 3:00:33 AM - Software Distribution Service 3.0
RP1444: 9/30/2009 7:45:28 AM - System Checkpoint
RP1445: 10/1/2009 3:56:21 PM - System Checkpoint
RP1446: 10/2/2009 11:44:21 PM - System Checkpoint
RP1447: 10/4/2009 7:44:22 AM - System Checkpoint
RP1448: 10/5/2009 1:07:43 PM - System Checkpoint
RP1449: 10/6/2009 1:08:12 PM - System Checkpoint
RP1450: 10/7/2009 8:06:04 PM - System Checkpoint
RP1451: 10/8/2009 8:49:54 PM - System Checkpoint
RP1452: 10/10/2009 3:46:24 AM - System Checkpoint
RP1453: 10/11/2009 3:47:30 AM - System Checkpoint
RP1454: 10/12/2009 11:47:30 AM - System Checkpoint
RP1455: 10/13/2009 7:47:29 PM - System Checkpoint
RP1456: 10/14/2009 8:49:52 PM - System Checkpoint
RP1457: 10/15/2009 3:00:52 AM - Software Distribution Service 3.0
RP1458: 10/16/2009 3:46:01 AM - System Checkpoint
RP1459: 10/17/2009 12:02:02 PM - System Checkpoint
RP1460: 10/18/2009 12:08:51 PM - System Checkpoint
RP1461: 10/19/2009 12:19:28 PM - System Checkpoint
RP1462: 10/20/2009 8:31:54 PM - System Checkpoint
RP1463: 10/21/2009 8:46:21 PM - System Checkpoint
RP1464: 10/22/2009 9:51:22 PM - System Checkpoint
RP1465: 10/24/2009 5:28:45 AM - System Checkpoint
RP1466: 10/25/2009 9:49:42 AM - System Checkpoint
RP1467: 10/26/2009 10:01:40 AM - System Checkpoint
RP1468: 10/27/2009 6:28:37 PM - System Checkpoint
RP1469: 10/29/2009 1:49:43 AM - System Checkpoint
RP1470: 10/30/2009 9:49:41 AM - System Checkpoint
RP1471: 10/31/2009 9:50:49 AM - System Checkpoint
RP1472: 11/1/2009 2:29:26 PM - System Checkpoint
RP1473: 11/2/2009 10:06:39 PM - System Checkpoint
RP1474: 11/3/2009 4:00:20 AM - Software Distribution Service 3.0
RP1475: 11/4/2009 4:26:46 AM - System Checkpoint
RP1476: 11/5/2009 12:14:14 PM - System Checkpoint
RP1477: 11/6/2009 8:53:27 PM - System Checkpoint
RP1478: 11/7/2009 10:37:52 PM - System Checkpoint
RP1479: 11/8/2009 10:44:23 PM - System Checkpoint
RP1480: 11/10/2009 6:37:42 AM - System Checkpoint
RP1481: 11/10/2009 5:17:22 PM - Removed Ad-Aware
RP1482: 11/12/2009 12:45:08 AM - System Checkpoint
RP1483: 11/12/2009 3:00:54 AM - Software Distribution Service 3.0
RP1484: 11/13/2009 3:56:07 AM - System Checkpoint
RP1485: 11/14/2009 12:05:41 PM - System Checkpoint
RP1486: 11/15/2009 7:32:12 PM - System Checkpoint
RP1487: 11/17/2009 3:43:37 AM - System Checkpoint
RP1488: 11/18/2009 8:00:24 AM - System Checkpoint
RP1489: 11/19/2009 2:31:10 PM - System Checkpoint
RP1490: 11/20/2009 10:31:10 PM - System Checkpoint
RP1491: 11/22/2009 6:44:09 AM - System Checkpoint
RP1492: 11/23/2009 2:31:11 PM - System Checkpoint
RP1493: 11/24/2009 5:58:47 PM - System Checkpoint
RP1494: 11/25/2009 3:00:32 AM - Software Distribution Service 3.0
RP1495: 11/25/2009 6:34:50 AM - Installed Java™ 6 Update 17
RP1496: 11/25/2009 3:16:43 PM - Removed Visual C++ 2008 x86 Runtime - (v9.0.30729)
RP1497: 11/25/2009 3:18:06 PM - Removed MobileMe Control Panel
RP1498: 11/25/2009 5:57:01 PM - Removed J2SE Runtime Environment 5.0 Update 10
RP1499: 11/25/2009 5:58:49 PM - Removed J2SE Runtime Environment 5.0 Update 11
RP1500: 11/25/2009 5:59:55 PM - Removed J2SE Runtime Environment 5.0 Update 5
RP1501: 11/25/2009 6:01:09 PM - Removed J2SE Runtime Environment 5.0 Update 6
RP1502: 11/25/2009 6:03:48 PM - Removed J2SE Runtime Environment 5.0 Update 9
RP1503: 11/25/2009 6:08:39 PM - Removed Java™ 6 Update 2
RP1504: 11/25/2009 6:14:38 PM - Removed Java™ 6 Update 3
RP1505: 11/26/2009 7:28:11 AM - Removed Java™ 6 Update 4
RP1506: 11/26/2009 7:31:00 AM - Removed Java™ 6 Update 5
RP1507: 11/26/2009 7:33:44 AM - Removed Java™ 6 Update 7
RP1508: 11/26/2009 7:35:43 AM - Removed Java™ SE Runtime Environment 6 Update 1
RP1509: 11/26/2009 7:37:08 AM - Removed McAfee Virtual Technician
RP1510: 11/26/2009 9:47:38 AM - Installed SUPERAntiSpyware Free Edition
RP1511: 11/27/2009 2:48:18 PM - System Checkpoint
RP1512: 11/28/2009 3:00:40 AM - Software Distribution Service 3.0
RP1513: 11/29/2009 11:58:41 AM - System Checkpoint
RP1514: 11/30/2009 2:44:17 PM - System Checkpoint
RP1515: 12/1/2009 6:50:39 PM - Removed SUPERAntiSpyware Free Edition

==== Installed Programs ======================

7-Zip 4.57
Ad-Aware
Adobe Acrobat 5.0
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Reader 8.1.7
Adobe Shockwave Player
Adobe SVG Viewer 3.0
Advanced Disk Cleaner 4.7
AIM 6
Allofmp3 Explorer
allTunes
AMUST Disk Cleaner 1.0
AnswerWorks 5.0 English Runtime
AOL Instant Messenger
AOL Uninstaller (Choose which Products to Remove)
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoStudio 5.5
BigFix
Bonjour
Canon MP Navigator 3.0
Canon MP600
Canon My Printer
Canon Utilities Easy-PhotoPrint
CCleaner
CDCheck
Click'N Design 3D (V5)
Comcast PhotoShow Deluxe 4
Critical Update for Windows Media Player 11 (KB959772)
Download Updater (AOL LLC)
ESP Historic
FrostWire 4.13.1.4 BETA
Google Advertising Cookie Opt-out
Google Earth
Google Update Helper
Google Updater
hallowpartymp.zip
honestech VHS to DVD 4.0
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Photo Imaging Software
HP Photo Printing Software
HP Share-to-Web
IE PassView
Internet Explorer Q903235
iPAQ WebReg
iPod for Windows 2005-10-12
iPod for Windows 2006-03-23
iPod Updater 2004-08-06
iTunes
Java™ 6 Update 17
LimeWire 5.3.6
Malwarebytes' Anti-Malware
McAfee Security Scan
McAfee SecurityCenter
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync 4.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft SAPI 5.1 Voices for Windows XP
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Multimedia Keyboard Driver
NVIDIA Display Driver
NVIDIA Drivers
NVIDIA Ethernet Driver
NVIDIA IDE Driver
NVIDIA nForce Drivers
OLYMPUS CAMEDIA Master 4.1
Picasa 3
QuickTime
Safari
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Sierra Print Artist Craft Factory
Sierra Utilities
SiteSpinner V2
SoftV92 Data Fax Modem with SmartCP
Sophos Anti-Rootkit 1.5.0
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wpaiper
TurboTax 2008 wrapper
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Outlook 2007 Junk Email Filter (kb975960)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
WildTangent Web Driver
Windows Backup Utility
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 11
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Movie Maker 2.0
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

12/1/2009 7:46:38 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 adpu160m agp440 agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 sisagp Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp ViaIde
12/1/2009 6:22:41 PM, error: PlugPlayManager [11] - The device Root\LEGACY_ROOTREPEAL\0000 disappeared from the system without first being prepared for removal.
11/29/2009 2:26:59 PM, error: Dhcp [1002] - The IP address lease 192.168.1.101 for the Network Card with network address 0040CA7BCD1A has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
11/28/2009 9:37:01 AM, error: Schedule [7901] - The At10.job command failed to start due to the following error: General access denied error
11/28/2009 8:37:00 AM, error: Schedule [7901] - The At9.job command failed to start due to the following error: General access denied error
11/28/2009 7:37:00 AM, error: Schedule [7901] - The At8.job command failed to start due to the following error: General access denied error
11/28/2009 6:50:09 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
11/28/2009 6:49:39 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/28/2009 6:49:31 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK7 Fips IPSec mfehidk MPFP MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip WS2IFSL
11/28/2009 6:49:31 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
11/28/2009 6:49:31 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/28/2009 6:49:31 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/28/2009 6:49:31 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBT service which failed to start because of the following error: A device attached to the system is not functioning.
11/28/2009 6:49:31 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/28/2009 6:49:31 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/28/2009 6:37:00 AM, error: Schedule [7901] - The At7.job command failed to start due to the following error: General access denied error
11/28/2009 5:37:00 AM, error: Schedule [7901] - The At6.job command failed to start due to the following error: General access denied error
11/28/2009 4:37:00 PM, error: Schedule [7901] - The At17.job command failed to start due to the following error: General access denied error
11/28/2009 4:37:00 AM, error: Schedule [7901] - The At5.job command failed to start due to the following error: General access denied error
11/28/2009 3:37:00 PM, error: Schedule [7901] - The At16.job command failed to start due to the following error: General access denied error
11/28/2009 3:37:00 AM, error: Schedule [7901] - The At4.job command failed to start due to the following error: General access denied error
11/28/2009 2:37:00 PM, error: Schedule [7901] - The At15.job command failed to start due to the following error: General access denied error
11/28/2009 2:37:00 AM, error: Schedule [7901] - The At3.job command failed to start due to the following error: General access denied error
11/28/2009 12:37:00 PM, error: Schedule [7901] - The At13.job command failed to start due to the following error: General access denied error
11/28/2009 12:37:00 AM, error: Schedule [7901] - The At1.job command failed to start due to the following error: General access denied error
11/28/2009 11:37:02 AM, error: Schedule [7901] - The At12.job command failed to start due to the following error: General access denied error
11/28/2009 10:37:00 AM, error: Schedule [7901] - The At11.job command failed to start due to the following error: General access denied error
11/28/2009 1:37:00 PM, error: Schedule [7901] - The At14.job command failed to start due to the following error: General access denied error
11/28/2009 1:37:00 AM, error: Schedule [7901] - The At2.job command failed to start due to the following error: General access denied error
11/27/2009 9:37:00 PM, error: Schedule [7901] - The At22.job command failed to start due to the following error: General access denied error
11/27/2009 9:04:29 AM, error: Service Control Manager [7000] - The SABProcEnum service failed to start due to the following error: The system cannot find the file specified.
11/27/2009 8:37:00 PM, error: Schedule [7901] - The At21.job command failed to start due to the following error: General access denied error
11/27/2009 7:37:00 PM, error: Schedule [7901] - The At20.job command failed to start due to the following error: General access denied error
11/27/2009 6:37:01 PM, error: Schedule [7901] - The At19.job command failed to start due to the following error: General access denied error
11/27/2009 5:37:01 PM, error: Schedule [7901] - The At18.job command failed to start due to the following error: General access denied error
11/27/2009 5:12:21 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll. Reference error message: The operation completed successfully. .
11/27/2009 4:01:17 PM, error: Service Control Manager [7000] - The McAfee SystemGuards service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/27/2009 4:01:16 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee SystemGuards service to connect.
11/27/2009 4:00:12 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
11/27/2009 4:00:11 PM, error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/27/2009 4:00:10 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iPod Service service to connect.
11/27/2009 3:49:03 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.
11/27/2009 3:48:31 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the mcmscsvc service.
11/27/2009 3:41:48 PM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 0040CA7BCD1A has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
11/27/2009 11:37:00 PM, error: Schedule [7901] - The At24.job command failed to start due to the following error: General access denied error
11/27/2009 10:37:00 PM, error: Schedule [7901] - The At23.job command failed to start due to the following error: General access denied error
11/27/2009 1:25:39 PM, error: Service Control Manager [7034] - The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).
11/26/2009 7:49:16 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.ATL. Reference error message: The referenced assembly is not installed on your system. .
11/26/2009 7:49:16 AM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Lavasoft\Ad-Aware\ShellExt.dll. Reference error message: The operation completed successfully. .
11/26/2009 7:49:16 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.ATL could not be found and Last Error was The referenced assembly is not installed on your system.
11/26/2009 7:44:04 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Intuit Update Service service to connect.
11/26/2009 7:44:04 AM, error: Service Control Manager [7000] - The Intuit Update Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/26/2009 7:43:09 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
11/26/2009 7:43:09 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
11/26/2009 7:38:13 AM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
11/26/2009 1:46:26 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
11/26/2009 1:46:26 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\atapi.sys|C:\WINDOWS\System32\Drivers\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:41 PM

Posted 01 December 2009 - 08:14 PM

Lets scan for remnants:

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Attention! Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.

Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 17.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u17-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u17-windows-i586.exe and select "Run as an Administrator.")

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 Joeymac

Joeymac
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 02 December 2009 - 05:05 AM

log

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, December 2, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, December 02, 2009 00:38:36
Records in database: 3320487
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - Critical areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Joe McKain\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics:
Objects scanned: 57115
Threats found: 4
Infected objects found: 4
Suspicious objects found: 1
Scan duration: 01:49:59


File name / Threat / Threats count
C:\Program Files\iTunes\bloody tears army of pharoahs.wma Infected: Trojan-Downloader.WMA.Wimad.t 1
C:\Program Files\Norton AntiVirus\Quarantine\6C825040.htm Suspicious: Exploit.HTML.Mht 1
C:\Program Files\Norton AntiVirus\Quarantine\6CCD15ED.class Infected: Exploit.Java.ByteVerify 1
C:\Program Files\Norton AntiVirus\Quarantine\6CDA3DDF.class Infected: Trojan.Java.ClassLoader.d 1
C:\Program Files\Norton AntiVirus\Quarantine\6CF40DC2.class Infected: Exploit.Java.ByteVerify 1

Selected area has been scanned.

#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:41 PM

Posted 02 December 2009 - 08:34 AM

Hi, Joeymac :(

Empty (remove) Norton's quarantine and delete the following file:

C:\Program Files\iTunes\bloody tears army of pharoahs.wma

How is the computer doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 Joeymac

Joeymac
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 02 December 2009 - 03:32 PM

I deleted the files that were quarantined by Norton Anti-Virus. along with deleted the songs from ITunes.The redirects have stopped and computer is running unbelievably fast. I am wondering if the Ipod the song is on is plugged in to update will the computer get reinfected. Thanks so much for helping me.

#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:41 PM

Posted 02 December 2009 - 04:44 PM

Hi, Joeymac :(

Congratulations.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix
  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

    Posted Image
Create a Restore point (If the above process fails to do so):
  • Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  • In the System Restore dialog box, click Create a restore point, and then click Next.
  • Type a description for your restore point, such as "After Cleanup", then click Create.
The following is a list of free tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - A useful tool which can search and annhilate bad files that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills bad files that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep bad files from installing on your system.
  • ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those bad files that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

Best wishes! Posted Image

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 Joeymac

Joeymac
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 02 December 2009 - 07:53 PM

I followed the directions for System restore point. I cannot remove combofix. When I type in ComboFix /Uninstall. with the space between the x and /u. It returns this message "Windows cannot find combofix.exe. I see a folder in my programs fnamed combofixt. Can I just delete the folder

#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:41 PM

Posted 02 December 2009 - 08:54 PM

I followed the directions for System restore point. I cannot remove combofix. When I type in ComboFix /Uninstall. with the space between the x and /u. It returns this message "Windows cannot find combofix.exe. I see a folder in my programs fnamed combofixt. Can I just delete the folder

Here is a better way. Download OTL.exe to your Desktop. Click on OTL.exe to run it, then on the Cleanup button. Follow the prompts. That will remove most tools, including itself.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users