Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

firefox redirect to http://xn--i-dda0ypa30g.../


  • This topic is locked This topic is locked
14 replies to this topic

#1 JanetM

JanetM

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 07 December 2009 - 09:41 AM

I am having the same issue that others are having. Firefox keeps redirecting to random pages or hxxp://xn--i-dda0ypa30g.../
I have run spybot and macfee without any help.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Janet McCann at 9:28:31.85 on Sun 12/06/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.338 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Janet McCann\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0061208
mDefault_Page_URL = hxxp://www.dell.com
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Aim6]
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [mmtask] "c:\program files\musicmatch\musicmatch jukebox\mmtask.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - c:\program files\hewlett-packard\aio\hp officejet k series\bin\hpoorn07.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\winzip\WZQKPICK.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} - hxxp://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} - hxxp://66.242.36.104/app/view22RTE.cab
DPF: {CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: PCANotify - PCANotify.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\janetm~1\applic~1\mozilla\firefox\profiles\jifxtex3.default\
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-5-5 24365]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-4-21 10901]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-1-6 214664]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-1-6 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-1-6 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-1-6 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-1-6 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-1-6 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-1-6 40552]
S2 0137191258563887mcinstcleanup;McAfee Application Installer Cleanup (0137191258563887);c:\windows\temp\013719~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\013719~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2003-5-29 106496]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-1-6 34248]
S3 MsDepSvc;Web Deployment Agent Service;c:\program files\iis\microsoft web deploy\MsDepSvc.exe [2009-4-8 42888]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]

=============== Created Last 30 ================

2009-12-02 15:14:41 0 d-----w- c:\docume~1\janetm~1\applic~1\Macrovision
2009-11-24 15:54:13 0 d-----w- c:\documents and settings\janet mccann\workspace2
2009-11-16 19:54:38 0 d-----w- c:\program files\Support Tools
2009-11-11 04:08:24 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2009-11-11 04:08:24 69632 ----a-w- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2009-12-05 16:58:50 39180 ----a-w- c:\docume~1\janetm~1\applic~1\wklnhst.dat
2009-12-05 01:49:09 246784 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-12-04 17:39:27 117968 ----a-w- c:\docume~1\janetm~1\applic~1\GDIPFONTCACHEV1.DAT
2007-08-11 17:54:53 88 --sh--r- c:\windows\system32\20D6CD3970.sys
2007-08-11 17:56:34 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 9:29:52.47 ===============

Attached Files


Edited by Orange Blossom, 07 December 2009 - 11:40 PM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,092 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:26 PM

Posted 20 December 2009 - 04:33 AM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • GMER log
Please do NOT post logs as attachments, unless you are unable to copy/paste a log directly in the reply box.


Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 JanetM

JanetM
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 20 December 2009 - 03:09 PM

DDS (Ver_09-12-01.01) - NTFSx86
Run by Janet McCann at 15:04:38.39 on Sun 12/20/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.285 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
C:\WinZip\WZQKPICK.EXE
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Janet McCann\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0061208
mDefault_Page_URL = hxxp://www.dell.com
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Aim6]
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [mmtask] "c:\program files\musicmatch\musicmatch jukebox\mmtask.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - c:\program files\hewlett-packard\aio\hp officejet k series\bin\hpoorn07.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\winzip\WZQKPICK.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} - hxxp://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} - hxxp://66.242.36.104/app/view22RTE.cab
DPF: {CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: PCANotify - PCANotify.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\janetm~1\applic~1\mozilla\firefox\profiles\jifxtex3.default\
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-5-5 24365]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-4-21 10901]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-1-6 214664]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-1-6 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-1-6 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-1-6 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-1-6 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-1-6 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-1-6 40552]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2003-5-29 106496]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-1-6 34248]
S3 MsDepSvc;Web Deployment Agent Service;c:\program files\iis\microsoft web deploy\MsDepSvc.exe [2009-4-8 42888]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]

=============== Created Last 30 ================

2009-12-10 13:40:53 0 d--h--w- c:\windows\system32\GroupPolicy
2009-12-02 15:14:41 0 d-----w- c:\docume~1\janetm~1\applic~1\Macrovision
2009-11-24 15:54:13 0 d-----w- c:\documents and settings\janet mccann\workspace2

==================== Find3M ====================

2009-12-17 15:10:00 39428 ----a-w- c:\docume~1\janetm~1\applic~1\wklnhst.dat
2009-12-17 06:52:12 246784 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-12-04 17:39:27 117968 ----a-w- c:\docume~1\janetm~1\applic~1\GDIPFONTCACHEV1.DAT
2007-08-11 17:54:53 88 --sh--r- c:\windows\system32\20D6CD3970.sys
2007-08-11 17:56:34 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 15:06:36.14 ===============

Attached Files



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,092 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:26 PM

Posted 20 December 2009 - 03:29 PM

Can you please post the GMER log as well and include a short description of the problem you are having?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 JanetM

JanetM
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 20 December 2009 - 04:28 PM

When I do a search and then try to select any of the results 3/4 times I get redirected some random site. I can only navigate by entering the urls directly.

I have tried to run GMER many times and it won't complete. Sometimes it crashes after a few minutes. Other times it seems to running fine, but when I return to my computer the system has rebooted.

I cannot boot into safe mode either. I tried each of the 3 safe mode options and I just get a blue screen. Any ideas?

#6 JanetM

JanetM
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 20 December 2009 - 07:16 PM

The only way I could get any log files from GMER was to run it with only some of the checkboxes enabled.
I have 3 log files, one for System/Sections/IAT/EAT; second for Devices,modules,processes, threads,libraries, services; and finally the registry.
It doesn't make it through files, the system reboots. Hopefully this is still useful.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-20 16:41:02
Windows 5.1.2600 Service Pack 3
Running: r9vq79n3.exe; Driver: C:\DOCUME~1\JANETM~1\LOCALS~1\Temp\axtdypow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEC76978A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEC769738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEC76974C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEC7697CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEC769710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEC769724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEC76979E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEC769776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEC769762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEC7697F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEC7697E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEC7697B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP EC7697B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP EC76978E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP EC7697CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP EC7697E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP EC7697A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP EC769714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP EC769728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP EC769766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1142 7 Bytes JMP EC769750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP EC76973C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP EC76977A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP EC7697FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.rsrc C:\WINDOWS\system32\drivers\iaStor.sys entry point in ".rsrc" section [0xF737C024]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF5EA0360, 0x21235D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0076000A
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0076009D
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00760FB2
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0076008C
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00760065
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0076004A
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007600C9
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007600B8
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0076011A
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007600FF
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00760F66
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00760FC3
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00760FEF
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00760F8D
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0076002F
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00760FD4
.text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007600E4
.text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006C0FD1
.text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006C0F94
.text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006C0022
.text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006C0011
.text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006C0FA5
.text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006C0000
.text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 006C0FC0
.text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8C, 88]
.text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006C003D
.text C:\WINDOWS\system32\svchost.exe[700] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006B0042
.text C:\WINDOWS\system32\svchost.exe[700] msvcrt.dll!system 77C293C7 5 Bytes JMP 006B0FB7
.text C:\WINDOWS\system32\svchost.exe[700] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006B0027
.text C:\WINDOWS\system32\svchost.exe[700] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006B0FEF
.text C:\WINDOWS\system32\svchost.exe[700] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006B0FD2
.text C:\WINDOWS\system32\svchost.exe[700] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006B000C
.text C:\WINDOWS\system32\svchost.exe[700] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 006A0FE5
.text C:\WINDOWS\system32\svchost.exe[700] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 006A000A
.text C:\WINDOWS\system32\svchost.exe[700] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 006A0027
.text C:\WINDOWS\system32\svchost.exe[700] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 006A0042
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EC00B5
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EC009A
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EC0089
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EC0FC0
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EC0051
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EC00D0
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EC0F88
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EC0F48
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EC00E1
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EC0F2D
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EC0062
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EC0014
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EC0FA5
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EC0040
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EC0025
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EC0F6D
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070F7C
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0007002F
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070F8D
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00070F9E
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [27, 88]
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070FC3
.text C:\WINDOWS\system32\services.exe[764] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060F90
.text C:\WINDOWS\system32\services.exe[764] msvcrt.dll!system 77C293C7 5 Bytes JMP 0006001B
.text C:\WINDOWS\system32\services.exe[764] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060FB5
.text C:\WINDOWS\system32\services.exe[764] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060FE3
.text C:\WINDOWS\system32\services.exe[764] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[764] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060FD2
.text C:\WINDOWS\system32\services.exe[764] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 00050025
.text C:\WINDOWS\system32\services.exe[764] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 0005000A
.text C:\WINDOWS\system32\services.exe[764] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00050036
.text C:\WINDOWS\system32\services.exe[764] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[764] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01050FEF
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 010500B3
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01050098
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01050087
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01050076
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0105005B
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010500C4
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01050F88
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010500F3
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01050F50
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01050104
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01050FD4
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01050000
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01050F99
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01050040
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0105001B
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01050F61
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E5001B
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E50F8D
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E50FCA
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E50000
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E50FA8
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E50FEF
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E50040
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E50FB9
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E40047
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E40FB2
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E40FDE
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E4000C
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E40FC3
.text C:\WINDOWS\system32\lsass.exe[776] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E40FEF
.text C:\WINDOWS\system32\lsass.exe[776] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E20FEF
.text C:\WINDOWS\system32\lsass.exe[776] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 00E3001B
.text C:\WINDOWS\system32\lsass.exe[776] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00E30000
.text C:\WINDOWS\system32\lsass.exe[776] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00E30042
.text C:\WINDOWS\system32\lsass.exe[776] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00990000
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00990F72
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00990F83
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0099005B
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0099004A
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00990FB9
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009900A9
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0099008C
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009900CB
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009900BA
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00990F0D
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00990FA8
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00990FE5
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00990F61
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00990FCA
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0099001B
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00990F46
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00980FE5
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00980FAF
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00980036
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00980011
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0098006C
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00980000
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0098005B
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00980FD4
.text C:\WINDOWS\system32\svchost.exe[952] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0246000A
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0097006B
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!system 77C293C7 5 Bytes JMP 0097005A
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0097002E
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00970000
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00970049
.text C:\WINDOWS\system32\svchost.exe[952] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00970011
.text C:\WINDOWS\system32\svchost.exe[952] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 0096001B
.text C:\WINDOWS\system32\svchost.exe[952] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 0096000A
.text C:\WINDOWS\system32\svchost.exe[952] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00960FEF
.text C:\WINDOWS\system32\svchost.exe[952] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 0096004C
.text C:\WINDOWS\system32\svchost.exe[952] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00780FEF
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DA000A
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DA00BD
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DA00AC
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DA0FD4
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DA0087
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DA0065
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DA00EB
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DA00DA
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DA0F7E
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DA0117
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DA0132
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DA0076
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DA001B
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DA0FA3
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DA0FEF
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DA0036
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DA00FC
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D90011
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D90F8A
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D90000
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D90FD4
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D90047
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D90FEF
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D90FA5
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F9, 88]
.text C:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D90036
.text C:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D80064
.text C:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D80049
.text C:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D8002E
.text C:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D8000C
.text C:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D80FD9
.text C:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D8001D
.text C:\WINDOWS\system32\svchost.exe[1028] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 00D70FE5
.text C:\WINDOWS\system32\svchost.exe[1028] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00D70000
.text C:\WINDOWS\system32\svchost.exe[1028] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00D70011
.text C:\WINDOWS\system32\svchost.exe[1028] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00D70022
.text C:\WINDOWS\system32\svchost.exe[1028] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00780FEF
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02C00FE5
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02C0008E
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02C00F99
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02C00073
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02C00062
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02C00036
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02C000BA
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02C00F72
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02C00101
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02C000E6
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02C00F4D
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02C00047
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02C00FD4
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02C000A9
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02C0001B
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02C0000A
.text C:\WINDOWS\System32\svchost.exe[1068] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02C000CB
.text C:\WINDOWS\System32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02BF0FC0
.text C:\WINDOWS\System32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02BF0047
.text C:\WINDOWS\System32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02BF0FD1
.text C:\WINDOWS\System32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02BF0011
.text C:\WINDOWS\System32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02BF0F8A
.text C:\WINDOWS\System32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02BF0000
.text C:\WINDOWS\System32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02BF0FA5
.text C:\WINDOWS\System32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DF, 8A]
.text C:\WINDOWS\System32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02BF002C
.text C:\WINDOWS\System32\svchost.exe[1068] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0263005C
.text C:\WINDOWS\System32\svchost.exe[1068] msvcrt.dll!system 77C293C7 5 Bytes JMP 0263004B
.text C:\WINDOWS\System32\svchost.exe[1068] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02630FE5
.text C:\WINDOWS\System32\svchost.exe[1068] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02630000
.text C:\WINDOWS\System32\svchost.exe[1068] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0263003A
.text C:\WINDOWS\System32\svchost.exe[1068] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02630029
.text C:\WINDOWS\System32\svchost.exe[1068] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 02620FE5
.text C:\WINDOWS\System32\svchost.exe[1068] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 02620000
.text C:\WINDOWS\System32\svchost.exe[1068] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 02620FC8
.text C:\WINDOWS\System32\svchost.exe[1068] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 02620025
.text C:\WINDOWS\System32\svchost.exe[1068] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02610000
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 008F0000
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008F006A
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008F0F75
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008F0F86
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 008F0F97
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 008F0FCD
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008F0F22
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008F0F3D
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008F0EF6
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008F008F
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008F00B4
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 008F0FB2
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008F0FEF
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008F0F5A
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 008F0039
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 008F0FDE
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!WinExec 7C86250D 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008F0F11
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008E0FB9
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008E005B
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008E0FCA
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008E0FDB
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008E004A
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008E0000
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 008E002F
.text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008E0FA8
.text C:\WINDOWS\system32\svchost.exe[1252] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00780016
.text C:\WINDOWS\system32\svchost.exe[1252] msvcrt.dll!system 77C293C7 5 Bytes JMP 00780F8B
.text C:\WINDOWS\system32\svchost.exe[1252] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00780FC1
.text C:\WINDOWS\system32\svchost.exe[1252] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00780FEF
.text C:\WINDOWS\system32\svchost.exe[1252] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00780FA6
.text C:\WINDOWS\system32\svchost.exe[1252] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00780FD2
.text C:\WINDOWS\system32\svchost.exe[1252] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 00770FEF
.text C:\WINDOWS\system32\svchost.exe[1252] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00770000
.text C:\WINDOWS\system32\svchost.exe[1252] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00770FD4
.text C:\WINDOWS\system32\svchost.exe[1252] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 0077001B
.text C:\WINDOWS\system32\svchost.exe[1252] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00760FEF
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F70000
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F70082
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F70F8D
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F70FA8
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F70065
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F7004A
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F70F72
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F700BA
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F7010B
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F700F0
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F70F57
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F70FC3
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F70011
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F7009D
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F70FD4
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F70FE5
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F700D5
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F60FC0
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F6005B
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F60011
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F60FDB
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F60040
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F60000
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F60F9E
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [16, 89]
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F60FAF
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F50069
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F5004E
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F50022
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F50000
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F50033
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F50011
.text C:\WINDOWS\system32\svchost.exe[1280] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 00F40FE5
.text C:\WINDOWS\system32\svchost.exe[1280] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00F40000
.text C:\WINDOWS\system32\svchost.exe[1280] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00F40027
.text C:\WINDOWS\system32\svchost.exe[1280] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00F40FD4
.text C:\WINDOWS\system32\svchost.exe[1280] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00770000
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00770F6F
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00770F8A
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00770062
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00770FA5
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00770036
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007700A6
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00770095
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007700C8
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007700B7
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007700D9
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00770047
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00770FEF
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00770F5E
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00770025
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00770FD4
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00770F39
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00680FB9
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0068005B
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00680FCA
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00680FE5
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0068004A
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00680000
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00680039
.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00680FA8
.text C:\WINDOWS\system32\svchost.exe[1440] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0067003D
.text C:\WINDOWS\system32\svchost.exe[1440] msvcrt.dll!system 77C293C7 5 Bytes JMP 0067002C
.text C:\WINDOWS\system32\svchost.exe[1440] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00670FD7
.text C:\WINDOWS\system32\svchost.exe[1440] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00670000
.text C:\WINDOWS\system32\svchost.exe[1440] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00670FBC
.text C:\WINDOWS\system32\svchost.exe[1440] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00670011
.text C:\WINDOWS\system32\svchost.exe[1440] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 00660011
.text C:\WINDOWS\system32\svchost.exe[1440] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 00660000
.text C:\WINDOWS\system32\svchost.exe[1440] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00660FCF
.text C:\WINDOWS\system32\svchost.exe[1440] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00660FBE
.text C:\WINDOWS\system32\svchost.exe[1440] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 013D000A
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 013D00B5
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 013D0FC0
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 013D009A
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 013D0073
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 013D0047
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 013D0F88
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 013D00D0
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 013D0117
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 013D0106
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 013D0F63
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 013D0062
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 013D0FEF
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 013D0FA5
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 013D0036
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 013D0025
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 013D00EB
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01130051
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] msvcrt.dll!system 77C293C7 5 Bytes JMP 01130FC6
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01130011
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01130FEF
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0113002C
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01130000
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01140014
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01140F6B
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01140FC3
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01140FDE
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01140F7C
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01140FEF
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01140F97
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [34, 89] {XOR AL, 0x89}
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01140FA8
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01110000
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 01120FE5
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 01120000
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 01120011
.text C:\WINDOWS\system32\inetsrv\inetinfo.exe[1644] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 01120FBE
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1880] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1880] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\Explorer.EXE[3028] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\Explorer.EXE[3028] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C0F5E
.text C:\WINDOWS\Explorer.EXE[3028] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0F79
.text C:\WINDOWS\Explorer.EXE[3028] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C0051
.text C:\WINDOWS\Explorer.EXE[3028] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C0040
.text C:\WINDOWS\Explorer.EXE[3028] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0025
.text C:\WINDOWS\Explorer.EXE[3028] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C0F2D
.text C:\WINDOWS\Explorer.EXE[3028] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C007F
.text C:\WINDOWS\Explorer.EXE[3028] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C00BF
.text C:\WINDOWS\Explorer.EXE[3028] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C009A
.text C:\WINDOWS\Explorer.EXE[3028] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C0F0B
.text C:\WINDOWS\Explorer.EXE[3028] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C0F9E
.text C:\WINDOWS\Explorer.EXE[3028] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C0FDE
.text C:\WINDOWS\Explorer.EXE[3028] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C006E
.text C:\WINDOWS\Explorer.EXE[3028] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C0014
.text C:\WINDOWS\Explorer.EXE[3028] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C0FC3
.text C:\WINDOWS\Explorer.EXE[3028] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C0F1C
.text C:\WINDOWS\Explorer.EXE[3028] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0FB9
.text C:\WINDOWS\Explorer.EXE[3028] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0F8D
.text C:\WINDOWS\Explorer.EXE[3028] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0FCA
.text C:\WINDOWS\Explorer.EXE[3028] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B000A
.text C:\WINDOWS\Explorer.EXE[3028] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B004A
.text C:\WINDOWS\Explorer.EXE[3028] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\Explorer.EXE[3028] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002B002F
.text C:\WINDOWS\Explorer.EXE[3028] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0FA8
.text C:\WINDOWS\Explorer.EXE[3028] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002C0FB7
.text C:\WINDOWS\Explorer.EXE[3028] msvcrt.dll!system 77C293C7 5 Bytes JMP 002C0042
.text C:\WINDOWS\Explorer.EXE[3028] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002C001D
.text C:\WINDOWS\Explorer.EXE[3028] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002C0000
.text C:\WINDOWS\Explorer.EXE[3028] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002C0FC8
.text C:\WINDOWS\Explorer.EXE[3028] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\Explorer.EXE[3028] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 002E0FEF
.text C:\WINDOWS\Explorer.EXE[3028] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 002E000A
.text C:\WINDOWS\Explorer.EXE[3028] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 002E0FDE
.text C:\WINDOWS\Explorer.EXE[3028] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 002E0FC3
.text C:\WINDOWS\Explorer.EXE[3028] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CC000A
.text C:\WINDOWS\System32\svchost.exe[3108] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0FE5
.text C:\WINDOWS\System32\svchost.exe[3108] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C0F6B
.text C:\WINDOWS\System32\svchost.exe[3108] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0F7C
.text C:\WINDOWS\System32\svchost.exe[3108] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C004A
.text C:\WINDOWS\System32\svchost.exe[3108] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C0F8D
.text C:\WINDOWS\System32\svchost.exe[3108] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0025
.text C:\WINDOWS\System32\svchost.exe[3108] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C0F18
.text C:\WINDOWS\System32\svchost.exe[3108] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0F35
.text C:\WINDOWS\System32\svchost.exe[3108] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C0EFD
.text C:\WINDOWS\System32\svchost.exe[3108] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C0096
.text C:\WINDOWS\System32\svchost.exe[3108] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C0EE2
.text C:\WINDOWS\System32\svchost.exe[3108] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C0F9E
.text C:\WINDOWS\System32\svchost.exe[3108] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C0FD4
.text C:\WINDOWS\System32\svchost.exe[3108] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C0F46
.text C:\WINDOWS\System32\svchost.exe[3108] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C0FC3
.text C:\WINDOWS\System32\svchost.exe[3108] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C000A
.text C:\WINDOWS\System32\svchost.exe[3108] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C007B
.text C:\WINDOWS\System32\svchost.exe[3108] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0FDB
.text C:\WINDOWS\System32\svchost.exe[3108] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0058
.text C:\WINDOWS\System32\svchost.exe[3108] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B002C
.text C:\WINDOWS\System32\svchost.exe[3108] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B001B
.text C:\WINDOWS\System32\svchost.exe[3108] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0FA5
.text C:\WINDOWS\System32\svchost.exe[3108] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0000
.text C:\WINDOWS\System32\svchost.exe[3108] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002B0FC0
.text C:\WINDOWS\System32\svchost.exe[3108] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4B, 88]
.text C:\WINDOWS\System32\svchost.exe[3108] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0047
.text C:\WINDOWS\System32\svchost.exe[3108] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0040007A
.text C:\WINDOWS\System32\svchost.exe[3108] msvcrt.dll!system 77C293C7 5 Bytes JMP 0040005F
.text C:\WINDOWS\System32\svchost.exe[3108] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00400029
.text C:\WINDOWS\System32\svchost.exe[3108] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00400FEF
.text C:\WINDOWS\System32\svchost.exe[3108] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00400044
.text C:\WINDOWS\System32\svchost.exe[3108] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0040000C
.text C:\WINDOWS\System32\svchost.exe[3108] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 0071001B
.text C:\WINDOWS\System32\svchost.exe[3108] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 0071000A
.text C:\WINDOWS\System32\svchost.exe[3108] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 0071002C
.text C:\WINDOWS\System32\svchost.exe[3108] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00710FE5
.text C:\WINDOWS\System32\svchost.exe[3108] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3596] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001D0000
.text C:\WINDOWS\system32\wuauclt.exe[3596] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001D00BF
.text C:\WINDOWS\system32\wuauclt.exe[3596] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001D00A4
.text C:\WINDOWS\system32\wuauclt.exe[3596] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001D0087
.text C:\WINDOWS\system32\wuauclt.exe[3596] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001D0076
.text C:\WINDOWS\system32\wuauclt.exe[3596] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001D0FDE
.text C:\WINDOWS\system32\wuauclt.exe[3596] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001D0FA3
.text C:\WINDOWS\system32\wuauclt.exe[3596] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001D00EB
.text C:\WINDOWS\system32\wuauclt.exe[3596] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001D0F5C
.text C:\WINDOWS\system32\wuauclt.exe[3596] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001D0F6D
.text C:\WINDOWS\system32\wuauclt.exe[3596] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001D0F4B
.text C:\WINDOWS\system32\wuauclt.exe[3596] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001D0065
.text C:\WINDOWS\system32\wuauclt.exe[3596] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001D0025
.text C:\WINDOWS\system32\wuauclt.exe[3596] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001D00DA
.text C:\WINDOWS\system32\wuauclt.exe[3596] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001D004A
.text C:\WINDOWS\system32\wuauclt.exe[3596] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001D0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3596] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001D0F88
.text C:\WINDOWS\system32\wuauclt.exe[3596] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002C0FAD
.text C:\WINDOWS\system32\wuauclt.exe[3596] msvcrt.dll!system 77C293C7 5 Bytes JMP 002C0042
.text C:\WINDOWS\system32\wuauclt.exe[3596] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002C0FE3
.text C:\WINDOWS\system32\wuauclt.exe[3596] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002C000C
.text C:\WINDOWS\system32\wuauclt.exe[3596] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002C0FD2
.text C:\WINDOWS\system32\wuauclt.exe[3596] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002C001D
.text C:\WINDOWS\system32\wuauclt.exe[3596] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002D0FE5
.text C:\WINDOWS\system32\wuauclt.exe[3596] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002D0FB6
.text C:\WINDOWS\system32\wuauclt.exe[3596] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002D002C
.text C:\WINDOWS\system32\wuauclt.exe[3596] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002D001B
.text C:\WINDOWS\system32\wuauclt.exe[3596] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002D007D
.text C:\WINDOWS\system32\wuauclt.exe[3596] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002D000A
.text C:\WINDOWS\system32\wuauclt.exe[3596] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002D0062
.text C:\WINDOWS\system32\wuauclt.exe[3596] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002D0051
.text C:\WINDOWS\system32\wuauclt.exe[3596] WININET.dll!InternetOpenW 771BAF45 5 Bytes JMP 00990025
.text C:\WINDOWS\system32\wuauclt.exe[3596] WININET.dll!InternetOpenA 771C5796 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\wuauclt.exe[3596] WININET.dll!InternetOpenUrlA 771C5A62 5 Bytes JMP 00990036
.text C:\WINDOWS\system32\wuauclt.exe[3596] WININET.dll!InternetOpenUrlW 771D5BB2 5 Bytes JMP 00990FE3

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-20 17:09:26
Windows 5.1.2600 Service Pack 3
Running: r9vq79n3.exe; Driver: C:\DOCUME~1\JANETM~1\LOCALS~1\Temp\axtdypow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device B7149D20

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device -> \Driver\iaStor \Device\Harddisk0\DR0 86F33618

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-20 17:08:28
Windows 5.1.2600 Service Pack 3
Running: r9vq79n3.exe; Driver: C:\DOCUME~1\JANETM~1\LOCALS~1\Temp\axtdypow.sys


---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{9C6A2914-9038-5A93-8E4E2AA93031FE8A}\{46AC4424-D398-E69C-9CDA7740FD2FECA9}\{CDFE3DAA-B6EE-697E-028EC491D3BD395C}
Reg HKLM\SOFTWARE\Classes\CLSID\{9C6A2914-9038-5A93-8E4E2AA93031FE8A}\{46AC4424-D398-E69C-9CDA7740FD2FECA9}\{CDFE3DAA-B6EE-697E-028EC491D3BD395C}@XOGCPEUPGZA3BTOUPKIJ6FJXTE1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FE362BA5-0629-D23B-C3FB8C239E33F8FC}\{C1CE7122-E981-B6FB-55D5EB357453DE2E}\{F24091A5-7F5D-E904-126AD7451BC3CC57}
Reg HKLM\SOFTWARE\Classes\CLSID\{FE362BA5-0629-D23B-C3FB8C239E33F8FC}\{C1CE7122-E981-B6FB-55D5EB357453DE2E}\{F24091A5-7F5D-E904-126AD7451BC3CC57}@XOGCPEUPGZA3BTOUPKIJ6FJXTE1 0x01 0x00 0x01 0x00 ...

---- EOF - GMER 1.0.15 ----

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,092 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:26 PM

Posted 21 December 2009 - 04:31 AM

Hello JanetM,

Thanks, that showed me what I wanted to see. Unfortunately you are infected with a nasty rootkit. Please consider the following....

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 JanetM

JanetM
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 21 December 2009 - 10:20 AM

ComboFix 09-12-20.08 - Janet McCann 12/21/2009 9:37.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.612 [GMT -5:00]
Running from: c:\documents and settings\Janet McCann\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jenny Mccann\Desktop\Download programs.url
c:\documents and settings\Jenny Mccann\Desktop\Games.url
c:\documents and settings\Jenny Mccann\Desktop\Translator.url
c:\documents and settings\Jenny Mccann\Desktop\Videos.url
c:\documents and settings\Jenny Mccann\Favorites\Download programs.url
c:\documents and settings\Jenny Mccann\Favorites\Games.url
c:\documents and settings\Jenny Mccann\Favorites\Translator.url
c:\documents and settings\Jenny Mccann\Favorites\Videos.url
c:\documents and settings\Jenny Mccann\Start Menu\Programs\Download programs.url
c:\documents and settings\Jenny Mccann\Start Menu\Programs\Games.url
c:\documents and settings\Jenny Mccann\Start Menu\Programs\Translator.url
c:\documents and settings\Jenny Mccann\Start Menu\Programs\Videos.url
c:\windows\system32\Cache
E:\autorun.inf

Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((( Files Created from 2009-11-21 to 2009-12-21 )))))))))))))))))))))))))))))))
.

2009-12-10 13:40 . 2009-12-10 13:40 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-12-02 15:14 . 2009-12-02 15:14 -------- d-----w- c:\documents and settings\Janet McCann\Application Data\Macrovision
2009-11-24 15:54 . 2009-11-24 15:55 -------- d-----w- c:\documents and settings\Janet McCann\workspace2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-20 17:13 . 2008-01-06 17:27 -------- d-----w- c:\program files\McAfee
2009-12-19 17:30 . 2006-12-21 23:12 38012 ----a-w- c:\documents and settings\Jenny Mccann\Application Data\wklnhst.dat
2009-12-17 15:10 . 2006-12-15 22:16 39428 ----a-w- c:\documents and settings\Janet McCann\Application Data\wklnhst.dat
2009-12-17 06:52 . 2006-12-09 03:20 246784 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-12-11 12:56 . 2009-01-21 01:17 -------- d-----w- c:\documents and settings\Janet McCann\Application Data\MySQL
2009-12-07 01:06 . 2007-12-29 16:27 -------- d-----w- c:\documents and settings\Jenny Mccann\Application Data\Move Networks
2009-12-02 15:51 . 2009-08-15 16:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-02 15:24 . 2006-12-09 03:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-30 21:53 . 2006-12-15 21:22 -------- d-----w- c:\program files\Viewpoint
2009-11-30 21:53 . 2006-12-15 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-11-26 14:14 . 2007-06-20 00:40 -------- d-----w- c:\program files\QuickTime
2009-11-26 14:11 . 2007-08-22 14:48 -------- d-----w- c:\program files\Common Files\Apple
2009-11-26 14:11 . 2006-12-25 13:08 -------- d-----w- c:\program files\Apple Software Update
2009-11-16 19:54 . 2009-11-16 19:54 -------- d-----w- c:\program files\Support Tools
2009-11-06 02:03 . 2006-12-15 19:57 118360 ----a-w- c:\documents and settings\Jenny Mccann\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-23 15:31 . 2006-12-09 03:53 118360 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-08-11 17:54 . 2006-12-16 16:56 88 --sh--r- c:\windows\system32\20D6CD3970.sys
2007-08-11 17:56 . 2006-12-16 16:56 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-09-26 206184]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-22 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 135168]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-02 267048]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-29 148888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HPAiODevice(hp officejet k series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe [2002-11-20 151552]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
WinZip Quick Pick.lnk - c:\winzip\WZQKPICK.EXE [2006-12-18 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2003-05-29 15:00 8704 ----a-w- c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 4:42 PM 156968]
S3 MsDepSvc;Web Deployment Agent Service;c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe [4/8/2009 5:10 PM 42888]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 7:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 1:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 7:28 PM 369688]
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Janet McCann\Application Data\Mozilla\Firefox\Profiles\jifxtex3.default\
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-21 09:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MsDepSvc]
"ImagePath"="\"c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe\" -runService:MsDepSvc"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9C6A2914-9038-5A93-8E4E2AA93031FE8A}\{46AC4424-D398-E69C-9CDA7740FD2FECA9}\{CDFE3DAA-B6EE-697E-028EC491D3BD395C}*]
"XOGCPEUPGZA3BTOUPKIJ6FJXTE1"=hex:01,00,01,00,00,00,00,00,9a,27,1e,8a,da,80,81,
12,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FE362BA5-0629-D23B-C3FB8C239E33F8FC}\{C1CE7122-E981-B6FB-55D5EB357453DE2E}\{F24091A5-7F5D-E904-126AD7451BC3CC57}*]
"XOGCPEUPGZA3BTOUPKIJ6FJXTE1"=hex:01,00,01,00,00,00,00,00,9a,27,1e,8a,da,80,81,
12,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3188)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\MySQL\MySQL Server 5.1\bin\mysqld.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
c:\windows\system32\hpoipm07.exe
c:\program files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
c:\program files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-12-21 10:07:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-21 15:07

Pre-Run: 97,907,732,480 bytes free
Post-Run: 101,061,169,152 bytes free

- - End Of File - - F32AFCE36FA2714FCDD4815A5AC361A1

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,092 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:26 PM

Posted 21 December 2009 - 10:54 AM

Hello JanetM,

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
UPDATE JAVA
------------------
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u15-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


In your next reply, please include the following:
  • MBAM log
  • A description of any remaining problems.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 JanetM

JanetM
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 22 December 2009 - 07:10 AM

Looks like everything is working. Thanks

Malwarebytes' Anti-Malware 1.42
Database version: 3403
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

12/21/2009 11:11:44 PM
mbam-log-2009-12-21 (23-11-44).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 836620
Time elapsed: 10 hour(s), 46 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,092 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:26 PM

Posted 22 December 2009 - 07:27 AM

Hello JanetM,

ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  • Push the Posted Image button.
  • Push Posted Image
In your next reply, please include the following:
  • ESET online scan results

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 JanetM

JanetM
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 22 December 2009 - 04:50 PM

Here are the results

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\iaStor.sys.vir Win32/Olmarik.RF virus deleted - quarantined

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,092 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:26 PM

Posted 23 December 2009 - 01:26 AM

Hello JanetM,

ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:
  • Delete the tools used during the disinfection:
  • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
  • Delete DDS, GMER (this is a random named file) and RootRepeal.
Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.
Some more links you might find of interest:
Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 JanetM

JanetM
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 23 December 2009 - 10:08 AM

Thanks for all your help. Everything appears to be working fine now.

Edited by JanetM, 23 December 2009 - 10:13 AM.


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,092 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:26 PM

Posted 23 December 2009 - 10:53 AM

Glad to hear that :(

This topic will now be closed. If you need it to be re-opened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users