Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Engine Hijacked ad re-directing to rogue sites


  • This topic is locked This topic is locked
4 replies to this topic

#1 DanInDorset

DanInDorset

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 29 March 2010 - 05:00 PM

Hi,

My browsers are being hijacked and I have run Malware Antibytes (in safe mode), Antispyware and PC Tools!! I have also restore pointed too but to no avail. I tried to run DDS but it wouldn't but I have a log file from Hijackthis for inspection which is below as I can't see the attach facility.

Can anyone detect for me were the rogue is and how I can remove this please.

This has happened after a trojan XP AVE anti-virus rogue got in somehow. which has now been removed, although I suspect it stil lurking in the registry somewhere.

Many thanks for taking a look

DanInDorset


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:33:45, on 29/03/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\BUFFALO\NASNAVI\nassvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\Desktop Wireless\mouse_2k.exe
C:\Program Files\Creative\Desktop Wireless\kb_2k.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\BUFFALO\HDManage\HDManage.exe
C:\Program Files\BUFFALO\NASNAVI\nassche.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\HiJackThis\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [CreativeMouse ] C:\Program Files\Creative\Desktop Wireless\mouse_2k.exe
O4 - HKLM\..\Run: [CreativeKeyboard ] C:\Program Files\Creative\Desktop Wireless\kb_2k.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Memeo Backup] C:\Program Files\Memeo\AutoBackup\MemeoLauncher2.exe --silent --no_ui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Danny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: BUFFALO NAS Navigator.lnk = C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe
O4 - Startup: BUFFALO Power Save Utility for HD.lnk = C:\Program Files\BUFFALO\HDManage\HDManage.exe
O4 - Startup: msprotect32.exe
O4 - Startup: NAS Scheduler.lnk = C:\Program Files\BUFFALO\NASNAVI\nassche.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientIn...2/OCI/setup.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Update Service (gupdate1c9ead8b5b1618a) (gupdate1c9ead8b5b1618a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: MemeoBackgroundService - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NAS PM Service (NasPmService) - BUFFALO INC. - C:\Program Files\BUFFALO\NASNAVI\nassvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

--
End of file - 14234 bytes

EDIT: Moved from Am I infected? What do I do? ~BP

Edited by Budapest, 29 March 2010 - 05:08 PM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:49 AM

Posted 02 April 2010 - 02:46 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 DanInDorset

DanInDorset
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 03 April 2010 - 05:14 PM

Hi Schrauber,

Thanks for the reply. 1st I am now away for up to 10 days so apologise if I reply late after this post.

Below are the DDS log and most of the GMER log. The GMER log crashed 4 times and re-booted. So the last file you see is a mid term save of the screen.

PC Tools keeps identifying Backdoor.Bredolab infections (4 or 5 at a time) which either re-appear or are not removed. The CPU is running high with Kservice and Iexplore being a hot user, there are also about 8 SVCHOST's running too. Google or any search engine is hijacked and refers to malicious sites. Chrome will not go to any sites and Java updates do not update on notification.

Fair to say the system has one very intelligent virus. Here come the logs and thank you very much for having a look.

DanInDorset

DDS (Ver_10-03-17.01) - NTFSx86
Run by Danny at 20:09:31.00 on 03/04/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1151.325 [GMT 1:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\BUFFALO\NASNAVI\nassvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Creative\Desktop Wireless\mouse_2k.exe
C:\Program Files\Creative\Desktop Wireless\kb_2k.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\BUFFALO\HDManage\HDManage.exe
C:\Program Files\BUFFALO\NASNAVI\nassche.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\Documents and Settings\Danny\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bbc.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: N/A: {be89472c-b803-4d1d-9a9a-0a63660e0fe3} - c:\progra~1\copern~1\COPERN~1.DLL
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6261\SiteAdv.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Copernic Agent: {f2e259e8-0fc8-438c-a6e0-342dd80fa53e} - c:\progra~1\copern~1\COPERN~1.DLL
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6261\SiteAdv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Copernic Agent Results: {6f480f82-c3a6-4d35-96f7-b297ad49fbe8} - c:\program files\copernic agent\CopernicAgentExt.dll
EB: Copernic Agent: {f2e259e8-0fc8-438c-a6e0-342dd80fa53e} - c:\progra~1\copern~1\COPERN~1.DLL
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [Google Update] "c:\documents and settings\danny\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [CreativeMouse ] c:\program files\creative\desktop wireless\mouse_2k.exe
mRun: [CreativeKeyboard ] c:\program files\creative\desktop wireless\kb_2k.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [SiteAdvisor] c:\program files\siteadvisor\6253\SiteAdv.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Memeo Backup] c:\program files\memeo\autobackup\MemeoLauncher2.exe --silent --no_ui
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\danny\startm~1\programs\startup\buffal~2.lnk - c:\program files\buffalo\nasnavi\NasNavi.exe
StartupFolder: c:\docume~1\danny\startm~1\programs\startup\buffal~1.lnk - c:\program files\buffalo\hdmanage\HDManage.exe
StartupFolder: c:\documents and settings\danny\start menu\programs\startup\msprotect32.exe
StartupFolder: c:\docume~1\danny\startm~1\programs\startup\nassch~1.lnk - c:\program files\buffalo\nasnavi\nassche.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\bttray.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Search Using Copernic Agent - c:\program files\copernic agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - c:\progra~1\copern~1\COPERN~1.EXE
IE: {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - c:\progra~1\copern~1\COPERN~1.EXE
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - hxxp://sib1.od2.com/common/Member/ClientInstall/10.20.0002/OCI/setup.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\copern~1\COPERN~1.DLL
Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\copern~1\COPERN~1.DLL
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6261\SiteAdv.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\danny\applic~1\mozilla\firefox\profiles\l786zrls.default\
FF - prefs.js: browser.search.selectedEngine - Answers.com
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - component: c:\documents and settings\danny\application data\mozilla\firefox\profiles\l786zrls.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\siteadvisor\6261\ff\components\FFHook.dll
FF - plugin: c:\documents and settings\danny\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npImgCtl.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-3-28 217032]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-3-28 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-3-28 59664]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-9-3 214664]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-3-28 233136]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-3-28 112592]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2004-8-28 181864]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-9-3 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-9-3 144704]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\memeo\autobackup\MemeoBackgroundService.exe [2009-6-6 25824]
R2 NasPmService;NAS PM Service;c:\program files\buffalo\nasnavi\nassvc.exe -service_execute -dcyc=60 -dto=3 -dluc=0 -dmin=1 -dmax=60 -dflc=0 -apc=0 -log=0 -pm=1 -pall=1 -phttp=0 -pbc=0 -ppro=0 -pcyc=0 -pmin=1 -pmax=60 -pflc=0 --> c:\program files\buffalo\nasnavi\nassvc.exe -Service_Execute -dcyc=60 -dto=3 -dluc=0 -dmin=1 -dmax=60 -dflc=0 -apc=0 -log=0 -pm=1 -pall=1 -phttp=0 -pbc=0 -ppro=0 -pcyc=0 -pmin=1 -pmax=60 -pflc=0 [?]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-3-28 366840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-9-3 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-9-3 35272]
R3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2010-3-28 70408]
R3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-3-28 1142224]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-3-28 33552]
R3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
S2 gupdate1c9ead8b5b1618a;Google Update Service (gupdate1c9ead8b5b1618a);c:\program files\google\update\GoogleUpdate.exe [2009-6-11 133104]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2004-8-28 79464]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [2005-3-23 24197]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-3-22 13352]
S3 M920;SVR-M92x/93x USB Driver;c:\windows\system32\drivers\M920USB.sys [2005-12-15 10517]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-9-3 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-9-3 40552]
S3 PhDebug32;PhDebug32;\??\c:\bios\hr60\debug32.sys --> c:\bios\hr60\debug32.sys [?]
S3 PortRST;BaromTec HMS30C6001 Reset Driver;c:\windows\system32\drivers\PortRST.sys [2005-12-15 12721]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [2009-7-25 86696]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [2009-7-25 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [2009-7-25 114472]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [2009-7-25 108328]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [2009-7-25 26024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [2009-7-25 104616]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [2009-7-25 109736]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-9-3 606736]

=============== Created Last 30 ================

2010-03-29 22:08:13 0 d-----w- C:\12080930b4314efb350758
2010-03-29 21:25:51 0 d-----w- C:\HiJackThis
2010-03-29 18:45:09 0 d-----w- c:\docume~1\danny\applic~1\PC Tools
2010-03-28 22:07:44 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat
2010-03-28 21:43:21 59664 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2010-03-28 21:43:20 33552 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2010-03-28 21:43:19 51984 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2010-03-28 19:10:33 767952 ----a-w- c:\windows\BDTSupport.dll
2010-03-28 19:10:32 882 ----a-w- c:\windows\RegSDImport.xml
2010-03-28 19:10:32 879 ----a-w- c:\windows\RegISSImport.xml
2010-03-28 19:10:32 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-03-28 19:10:32 131 ----a-w- c:\windows\IDB.zip
2010-03-28 19:10:31 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-03-28 19:10:31 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-03-28 19:10:31 1152444 ----a-w- c:\windows\UDB.zip
2010-03-28 19:03:44 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-03-28 19:03:44 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-03-28 19:03:19 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-28 19:03:19 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-03-28 19:03:19 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-03-28 19:03:19 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-28 19:03:00 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-03-28 19:03:00 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-03-28 19:02:44 0 d-----w- c:\program files\Spyware Doctor
2010-03-28 19:02:44 0 d-----w- c:\program files\common files\PC Tools
2010-03-28 19:02:44 0 d-----w- c:\docume~1\alluse~1.win\applic~1\PC Tools
2010-03-25 23:44:23 0 d-----w- c:\windows\system32\XPSViewer
2010-03-25 23:42:45 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-03-25 23:42:45 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-03-25 23:42:45 117760 ------w- c:\windows\system32\prntvpt.dll
2010-03-25 23:42:44 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-03-25 23:42:44 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-03-25 23:42:43 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-03-25 23:42:43 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-03-25 23:17:04 0 d-sh--w- c:\documents and settings\danny\IECompatCache
2010-03-25 23:14:17 0 d-sh--w- c:\documents and settings\danny\PrivacIE
2010-03-25 22:32:40 0 d-----w- c:\docume~1\danny\applic~1\Malwarebytes
2010-03-25 22:32:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-25 22:32:20 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-25 22:32:20 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-03-25 22:32:19 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-25 22:25:52 0 d-sh--w- c:\documents and settings\danny\IETldCache
2010-03-25 22:14:37 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-25 22:14:36 78336 -c--a-w- c:\windows\system32\dllcache\ieencode.dll
2010-03-25 13:58:30 0 d-----w- c:\docume~1\alluse~1.win\applic~1\avG
2010-03-24 23:44:14 0 d-----w- c:\windows\system32\wbem\Repository
2010-03-24 23:00:48 0 d-----w- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com
2010-03-24 23:00:13 0 d-----w- c:\program files\SUPERAntiSpyware
2010-03-24 23:00:13 0 d-----w- c:\docume~1\danny\applic~1\SUPERAntiSpyware.com
2010-03-24 22:59:26 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-03-24 14:00:19 32 --s-a-w- c:\windows\system32\2249648381.dat
2010-03-23 21:06:00 0 d-----w- c:\docume~1\alluse~1.win\applic~1\RegCure
2010-03-21 10:42:58 56674352 --sha-w- c:\windows\system32\altvv.sys
2010-03-20 10:08:24 0 ----a-w- c:\windows\system32\1041a.sys
2010-03-19 19:01:20 120 ----a-w- c:\windows\Mnuhe.dat
2010-03-19 19:01:20 0 ----a-w- c:\windows\Byaxamuzage.bin
2010-03-19 18:56:45 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-10 19:08:17 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-03-25 13:13:05 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2008-07-21 08:21:01 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008072120080722\index.dat

============= FINISH: 20:30:38.70 ===============


GMER

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-03 22:42:55
Windows 5.1.2600 Service Pack 3
Running: x0vgmkth.exe; Driver: C:\DOCUME~1\Danny\LOCALS~1\Temp\ffriquog.sys


---- System - GMER 1.0.15 ----

SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwCreateKey [0xBA746AC2]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xBA76DEEE]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xBA76E0E0]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwDeleteKey [0xBA746CB6]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwDeleteValueKey [0xBA746D5C]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwOpenKey [0xBA7469B2]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xBA78ED72]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwSetValueKey [0xBA746EF8]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwTerminateProcess [0xBA748BD6]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA8A3C78C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA8A3C7CC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA8A3C710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA8A3C724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA8A3C7A0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA8A3C778]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA8A3C764]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA8A3C7E2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA8A3C7B6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 80515A92 7 Bytes JMP A8A3C7BA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8057C328 5 Bytes JMP A8A3C790 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8057CFC0 5 Bytes JMP A8A3C768 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8057DEF1 5 Bytes JMP A8A3C7E6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 8057E369 7 Bytes JMP A8A3C7D0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 80581702 5 Bytes JMP A8A3C714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80581889 7 Bytes JMP A8A3C7A4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 805E1941 5 Bytes JMP A8A3C728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8063597F 5 Bytes JMP A8A3C77C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xBA7C3794]
init C:\WINDOWS\system32\drivers\tiumflt.sys entry point in "init" section [0xBACC8E00]
init C:\WINDOWS\system32\drivers\tiumfwl.sys entry point in "init" section [0xBABF2F00]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CE0000
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CE0F66
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CE0065
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CE004A
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CE0F8D
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CE0FC3
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CE00A2
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CE0091
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CE00BD
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CE0F24
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CE00CE
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CE0FA8
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CE001B
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CE0076
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CE0FD4
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CE0FE5
.text C:\WINDOWS\System32\svchost.exe[788] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CE0F3F
.text C:\WINDOWS\System32\svchost.exe[788] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BB0FCA
.text C:\WINDOWS\System32\svchost.exe[788] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BB0058
.text C:\WINDOWS\System32\svchost.exe[788] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BB0025
.text C:\WINDOWS\System32\svchost.exe[788] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BB0014
.text C:\WINDOWS\System32\svchost.exe[788] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BB0047
.text C:\WINDOWS\System32\svchost.exe[788] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\System32\svchost.exe[788] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BB0036
.text C:\WINDOWS\System32\svchost.exe[788] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BB0FAF
.text C:\WINDOWS\System32\svchost.exe[788] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BA0F86
.text C:\WINDOWS\System32\svchost.exe[788] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BA0FA1
.text C:\WINDOWS\System32\svchost.exe[788] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BA0FCD
.text C:\WINDOWS\System32\svchost.exe[788] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\System32\svchost.exe[788] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BA0FB2
.text C:\WINDOWS\System32\svchost.exe[788] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BA0FDE
.text C:\WINDOWS\System32\svchost.exe[788] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00B80000
.text C:\WINDOWS\System32\svchost.exe[788] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00B80011
.text C:\WINDOWS\System32\svchost.exe[788] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00B80FDB
.text C:\WINDOWS\System32\svchost.exe[788] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00B80FC0
.text C:\WINDOWS\System32\svchost.exe[788] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B90000
.text C:\WINDOWS\system32\services.exe[900] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\system32\services.exe[900] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FD0087
.text C:\WINDOWS\system32\services.exe[900] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FD006C
.text C:\WINDOWS\system32\services.exe[900] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FD0051
.text C:\WINDOWS\system32\services.exe[900] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FD0F9E
.text C:\WINDOWS\system32\services.exe[900] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FD0036
.text C:\WINDOWS\system32\services.exe[900] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FD0F61
.text C:\WINDOWS\system32\services.exe[900] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FD00A9
.text C:\WINDOWS\system32\services.exe[900] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FD00C4
.text C:\WINDOWS\system32\services.exe[900] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FD0F2B
.text C:\WINDOWS\system32\services.exe[900] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FD00D5
.text C:\WINDOWS\system32\services.exe[900] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FD0FAF
.text C:\WINDOWS\system32\services.exe[900] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FD000A
.text C:\WINDOWS\system32\services.exe[900] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FD0098
.text C:\WINDOWS\system32\services.exe[900] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FD001B
.text C:\WINDOWS\system32\services.exe[900] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FD0FCA
.text C:\WINDOWS\system32\services.exe[900] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FD0F46
.text C:\WINDOWS\system32\services.exe[900] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F80FD4
.text C:\WINDOWS\system32\services.exe[900] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F80F97
.text C:\WINDOWS\system32\services.exe[900] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F80FE5
.text C:\WINDOWS\system32\services.exe[900] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F80011
.text C:\WINDOWS\system32\services.exe[900] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F80FA8
.text C:\WINDOWS\system32\services.exe[900] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\services.exe[900] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F80FC3
.text C:\WINDOWS\system32\services.exe[900] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [18, 89]
.text C:\WINDOWS\system32\services.exe[900] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F8004A
.text C:\WINDOWS\system32\services.exe[900] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F70047
.text C:\WINDOWS\system32\services.exe[900] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F70036
.text C:\WINDOWS\system32\services.exe[900] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F7001B
.text C:\WINDOWS\system32\services.exe[900] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F70FE3
.text C:\WINDOWS\system32\services.exe[900] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F70FBC
.text C:\WINDOWS\system32\services.exe[900] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F70000
.text C:\WINDOWS\system32\services.exe[900] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00F50FEF
.text C:\WINDOWS\system32\services.exe[900] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00F50FDE
.text C:\WINDOWS\system32\services.exe[900] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00F50FC3
.text C:\WINDOWS\system32\services.exe[900] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00F50FA8
.text C:\WINDOWS\system32\services.exe[900] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F60FEF
.text C:\WINDOWS\system32\lsass.exe[912] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01170FEF
.text C:\WINDOWS\system32\lsass.exe[912] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01170F3A
.text C:\WINDOWS\system32\lsass.exe[912] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01170F4B
.text C:\WINDOWS\system32\lsass.exe[912] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01170F66
.text C:\WINDOWS\system32\lsass.exe[912] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0117002F
.text C:\WINDOWS\system32\lsass.exe[912] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01170F8D
.text C:\WINDOWS\system32\lsass.exe[912] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01170F0E
.text C:\WINDOWS\system32\lsass.exe[912] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0117004A
.text C:\WINDOWS\system32\lsass.exe[912] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01170EF3
.text C:\WINDOWS\system32\lsass.exe[912] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0117008C
.text C:\WINDOWS\system32\lsass.exe[912] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01170ECE
.text C:\WINDOWS\system32\lsass.exe[912] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0117001E
.text C:\WINDOWS\system32\lsass.exe[912] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01170FD4
.text C:\WINDOWS\system32\lsass.exe[912] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01170F1F
.text C:\WINDOWS\system32\lsass.exe[912] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01170FA8
.text C:\WINDOWS\system32\lsass.exe[912] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01170FB9
.text C:\WINDOWS\system32\lsass.exe[912] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01170071
.text C:\WINDOWS\system32\lsass.exe[912] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01160F9E
.text C:\WINDOWS\system32\lsass.exe[912] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01160F68
.text C:\WINDOWS\system32\lsass.exe[912] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01160FB9
.text C:\WINDOWS\system32\lsass.exe[912] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01160FD4
.text C:\WINDOWS\system32\lsass.exe[912] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01160F79
.text C:\WINDOWS\system32\lsass.exe[912] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01160FEF
.text C:\WINDOWS\system32\lsass.exe[912] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0116001B
.text C:\WINDOWS\system32\lsass.exe[912] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0116000A
.text C:\WINDOWS\system32\lsass.exe[912] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01150FB7
.text C:\WINDOWS\system32\lsass.exe[912] msvcrt.dll!system 77C293C7 5 Bytes JMP 0115004C
.text C:\WINDOWS\system32\lsass.exe[912] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01150FE3
.text C:\WINDOWS\system32\lsass.exe[912] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01150000
.text C:\WINDOWS\system32\lsass.exe[912] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01150FD2
.text C:\WINDOWS\system32\lsass.exe[912] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0115001D
.text C:\WINDOWS\system32\lsass.exe[912] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\lsass.exe[912] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00FE0FE5
.text C:\WINDOWS\system32\lsass.exe[912] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00FE0FD4
.text C:\WINDOWS\system32\lsass.exe[912] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\lsass.exe[912] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00FE0FAF
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DB0000
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DB0F9C
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DB0FB7
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DB0091
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DB0FD4
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DB0051
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DB00BD
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DB0F81
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DB0F38
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DB0F53
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DB00F6
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DB006C
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DB0011
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DB00A2
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DB0FE5
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DB002C
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DB0F64
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DA0FD1
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DA006C
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DA002C
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DA001B
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DA0FA5
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DA0000
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00DA0047
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DA0FC0
.text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D90036
.text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D9001B
.text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D9000A
.text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D90FEF
.text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D90FAB
.text C:\WINDOWS\system32\svchost.exe[1104] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D90FD2
.text C:\WINDOWS\system32\svchost.exe[1104] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00D50000
.text C:\WINDOWS\system32\svchost.exe[1104] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00D50011
.text C:\WINDOWS\system32\svchost.exe[1104] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00D50FDB
.text C:\WINDOWS\system32\svchost.exe[1104] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00D5002C
.text C:\WINDOWS\system32\svchost.exe[1104] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D80000
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001D0FEF
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001D0054
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001D0F5F
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001D0043
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001D0032
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001D0F97
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001D0F38
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001D0080
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001D0EF1
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001D0F0C
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001D009B
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001D0F86
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001D0FD4
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001D006F
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001D0FA8
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001D0FC3
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001D0F27
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002C0FAF
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002C004A
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002C0FD4
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002C0FE5
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002C002F
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002C0000
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002C0F8D
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4C, 88]
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002C0F9E
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0041001B
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!system 77C293C7 5 Bytes JMP 00410F90
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00410FB5
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00410FE3
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00410000
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00410FD2
.text C:\WINDOWS\system32\svchost.exe[1184] ws2_32.dll!socket 71AB4211 5 Bytes JMP 0091000A
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FB0000
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FB0F63
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FB0058
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FB0F8A
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FB0047
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FB002C
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FB0F26
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FB0F37
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FB00B5
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FB009A
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FB00C6
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FB0FA5
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FB0011
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FB0F48
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FB0FB6
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FB0FD1
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FB0089
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FA0036
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FA0FB6
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FA001B
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FA0000
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FA0073
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FA0FE5
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FA0058
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FA0047
.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F9002A
.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F90F95
.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F90FC1
.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F90FEF
.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F90FA6
.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F90FD2
.text C:\WINDOWS\system32\svchost.exe[1216] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00F70FEF
.text C:\WINDOWS\system32\svchost.exe[1216] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00F70FD4
.text C:\WINDOWS\system32\svchost.exe[1216] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00F70FB9
.text C:\WINDOWS\system32\svchost.exe[1216] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00F7000A
.text C:\WINDOWS\system32\svchost.exe[1216] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F80FEF
.text C:\WINDOWS\System32\svchost.exe[1260] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0098000A
.text C:\WINDOWS\System32\svchost.exe[1260] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchost.exe[1260] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0097000C
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 037B0000
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 037B006C
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 037B0F77
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 037B0051
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 037B0040
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 037B0FB9
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 037B0F3F
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 037B0F5C
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 037B00C4
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 037B00B3
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 037B0F06
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 037B0F9E
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 037B0FEF
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 037B007D
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 037B0025
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 037B0FD4
.text C:\WINDOWS\System32\svchost.exe[1260] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 037B00A2
.text C:\WINDOWS\System32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 037A0FD4
.text C:\WINDOWS\System32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 037A0062
.text C:\WINDOWS\System32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 037A0FE5
.text C:\WINDOWS\System32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 037A001B
.text C:\WINDOWS\System32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 037A0051
.text C:\WINDOWS\System32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 037A0000
.text C:\WINDOWS\System32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 037A0FAF
.text C:\WINDOWS\System32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9A, 8B]
.text C:\WINDOWS\System32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 037A0036
.text C:\WINDOWS\System32\svchost.exe[1260] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01D0000A
.text C:\WINDOWS\System32\svchost.exe[1260] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 01CF000A
.text C:\WINDOWS\System32\svchost.exe[1260] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03510FBC
.text C:\WINDOWS\System32\svchost.exe[1260] msvcrt.dll!system 77C293C7 5 Bytes JMP 0351003D
.text C:\WINDOWS\System32\svchost.exe[1260] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03510011
.text C:\WINDOWS\System32\svchost.exe[1260] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03510000
.text C:\WINDOWS\System32\svchost.exe[1260] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0351002C
.text C:\WINDOWS\System32\svchost.exe[1260] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03510FD7
.text C:\WINDOWS\System32\svchost.exe[1260] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 02B50000
.text C:\WINDOWS\System32\svchost.exe[1260] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 02B5001B
.text C:\WINDOWS\System32\svchost.exe[1260] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 02B50FE5
.text C:\WINDOWS\System32\svchost.exe[1260] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 02B50FD4
.text C:\WINDOWS\System32\svchost.exe[1260] WS2_32.dll!socket 71AB4211 5 Bytes JMP 034B000A
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 008E0000
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008E0F8D
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008E0078
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008E0F9E
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 008E005B
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 008E0FC0
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008E0F55
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008E0F72
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008E00B8
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008E0F1F
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008E0F0E
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 008E0FAF
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008E0011
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008E009D
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 008E0FDB
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 008E002C
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008E0F30
.text C:\WINDOWS\system32\svchost.exe[1444] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008D0025
.text C:\WINDOWS\system32\svchost.exe[1444] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008D0FB9
.text C:\WINDOWS\system32\svchost.exe[1444] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008D0FD4
.text C:\WINDOWS\system32\svchost.exe[1444] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008D000A
.text C:\WINDOWS\system32\svchost.exe[1444] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008D006C
.text C:\WINDOWS\system32\svchost.exe[1444] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008D0FEF
.text C:\WINDOWS\system32\svchost.exe[1444] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 008D0051
.text C:\WINDOWS\system32\svchost.exe[1444] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008D0040
.text C:\WINDOWS\system32\svchost.exe[1444] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008C0053
.text C:\WINDOWS\system32\svchost.exe[1444] msvcrt.dll!system 77C293C7 5 Bytes JMP 008C0042
.text C:\WINDOWS\system32\svchost.exe[1444] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008C0FD2
.text C:\WINDOWS\system32\svchost.exe[1444] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008C000C
.text C:\WINDOWS\system32\svchost.exe[1444] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008C0027
.text C:\WINDOWS\system32\svchost.exe[1444] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008C0FEF
.text C:\WINDOWS\system32\svchost.exe[1444] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 008B0FEF
.text C:\WINDOWS\system32\svchost.exe[1444] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 008B000A
.text C:\WINDOWS\system32\svchost.exe[1444] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 008B0FDE
.text C:\WINDOWS\system32\svchost.exe[1444] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 008B0FC3
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A20FEF
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A20F6D
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A20062
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A20051
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A20F9E
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A2002F
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A20F35
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A2007D
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A200A2
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A20F13
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A20EEE
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A20040
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A20FDE
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A20F52
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A2001E
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A20FCD
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A20F24
.text C:\WINDOWS\System32\svchost.exe[1524] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A1002C
.text C:\WINDOWS\System32\svchost.exe[1524] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A10F9B
.text C:\WINDOWS\System32\svchost.exe[1524] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A10FDB
.text C:\WINDOWS\System32\svchost.exe[1524] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A10011
.text C:\WINDOWS\System32\svchost.exe[1524] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A10062
.text C:\WINDOWS\System32\svchost.exe[1524] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A10000
.text C:\WINDOWS\System32\svchost.exe[1524] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A10FB6
.text C:\WINDOWS\System32\svchost.exe[1524] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C1, 88]
.text C:\WINDOWS\System32\svchost.exe[1524] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A1003D
.text C:\WINDOWS\System32\svchost.exe[1524] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A00FA1
.text C:\WINDOWS\System32\svchost.exe[1524] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A0002C
.text C:\WINDOWS\System32\svchost.exe[1524] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A00FC6
.text C:\WINDOWS\System32\svchost.exe[1524] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A00000
.text C:\WINDOWS\System32\svchost.exe[1524] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A0001B
.text C:\WINDOWS\System32\svchost.exe[1524] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A00FD7
.text C:\WINDOWS\System32\svchost.exe[1524] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 001B0000
.text C:\WINDOWS\System32\svchost.exe[1524] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 001B0011
.text C:\WINDOWS\System32\svchost.exe[1524] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 001B0022
.text C:\WINDOWS\System32\svchost.exe[1524] WININET.dll!InternetOpenUrlW 3D998439 1 Byte [E9]
.text C:\WINDOWS\System32\svchost.exe[1524] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 001B003D
.text C:\WINDOWS\System32\svchost.exe[1524] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009F0FEF
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C70000
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C70F7A
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C70F8B
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C70065
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C70FA8
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C70040
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C70094
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C70F42
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C70F0C
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C70F31
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C700CA
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C70FB9
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C70FE5
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C70F5F
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C70025
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C70FD4
.text C:\WINDOWS\System32\svchost.exe[1656] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C700AF
.text C:\WINDOWS\System32\svchost.exe[1656] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C60FD4
.text C:\WINDOWS\System32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C6004A
.text C:\WINDOWS\System32\svchost.exe[1656] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C60FE5
.text C:\WINDOWS\System32\svchost.exe[1656] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C6001B
.text C:\WINDOWS\System32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C60F8D
.text C:\WINDOWS\System32\svchost.exe[1656] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C60000
.text C:\WINDOWS\System32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C60FA8
.text C:\WINDOWS\System32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E6, 88] {OUT 0x88, AL}
.text C:\WINDOWS\System32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C60FB9
.text C:\WINDOWS\System32\svchost.exe[1656] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C50FC1
.text C:\WINDOWS\System32\svchost.exe[1656] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C5004C
.text C:\WINDOWS\System32\svchost.exe[1656] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C50027
.text C:\WINDOWS\System32\svchost.exe[1656] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\System32\svchost.exe[1656] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C50FD2
.text C:\WINDOWS\System32\svchost.exe[1656] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C5000C
.text C:\WINDOWS\System32\svchost.exe[1656] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 001B0000
.text C:\WINDOWS\System32\svchost.exe[1656] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 001B0011
.text C:\WINDOWS\System32\svchost.exe[1656] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 001B0022
.text C:\WINDOWS\System32\svchost.exe[1656] WININET.dll!InternetOpenUrlW 3D998439 1 Byte [E9]
.text C:\WINDOWS\System32\svchost.exe[1656] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 001B003D
.text C:\WINDOWS\System32\svchost.exe[1656] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C40000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1844] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1844] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\Explorer.EXE[2136] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[2136] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C4000A
.text C:\WINDOWS\Explorer.EXE[2136] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
.text C:\WINDOWS\Explorer.EXE[2136] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F60FE5
.text C:\WINDOWS\Explorer.EXE[2136] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F60F9E
.text C:\WINDOWS\Explorer.EXE[2136] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F60FB9
.text C:\WINDOWS\Explorer.EXE[2136] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F60093
.text C:\WINDOWS\Explorer.EXE[2136] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F6006C
.text C:\WINDOWS\Explorer.EXE[2136] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F60040
.text C:\WINDOWS\Explorer.EXE[2136] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F60F66
.text C:\WINDOWS\Explorer.EXE[2136] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F600AE
.text C:\WINDOWS\Explorer.EXE[2136] kernel32.dll!CreateProcessW 7C802336 1 Byte [E9]
.text C:\WINDOWS\Explorer.EXE[2136] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F60F3A
.text C:\WINDOWS\Explorer.EXE[2136] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F600DD
.text C:\WINDOWS\Explorer.EXE[2136] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F600EE
.text C:\WINDOWS\Explorer.EXE[2136] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F6005B
.text C:\WINDOWS\Explorer.EXE[2136] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F60FD4
.text C:\WINDOWS\Explorer.EXE[2136] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F60F83
.text C:\WINDOWS\Explorer.EXE[2136] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F60025
.text C:\WINDOWS\Explorer.EXE[2136] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F60014
.text C:\WINDOWS\Explorer.EXE[2136] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F60F55
.text C:\WINDOWS\Explorer.EXE[2136] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EF0FD4
.text C:\WINDOWS\Explorer.EXE[2136] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EF0F8D
.text C:\WINDOWS\Explorer.EXE[2136] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EF0025
.text C:\WINDOWS\Explorer.EXE[2136] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EF0FEF
.text C:\WINDOWS\Explorer.EXE[2136] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EF0F9E
.text C:\WINDOWS\Explorer.EXE[2136] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EF000A
.text C:\WINDOWS\Explorer.EXE[2136] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00EF0FB9
.text C:\WINDOWS\Explorer.EXE[2136] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [0F, 89]
.text C:\WINDOWS\Explorer.EXE[2136] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EF0040
.text C:\WINDOWS\Explorer.EXE[2136] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EE0FA5
.text C:\WINDOWS\Explorer.EXE[2136] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EE0FCA
.text C:\WINDOWS\Explorer.EXE[2136] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EE003A
.text C:\WINDOWS\Explorer.EXE[2136] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EE0000
.text C:\WINDOWS\Explorer.EXE[2136] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EE0FE5
.text C:\WINDOWS\Explorer.EXE[2136] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EE0029
.text C:\WINDOWS\Explorer.EXE[2136] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00D50000
.text C:\WINDOWS\Explorer.EXE[2136] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00D50FE5
.text C:\WINDOWS\Explorer.EXE[2136] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00D50FCA
.text C:\WINDOWS\Explorer.EXE[2136] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00D5001B
.text C:\WINDOWS\Explorer.EXE[2136] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D60000
.text C:\WINDOWS\System32\svchost.exe[2420] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FC0FE5
.text C:\WINDOWS\System32\svchost.exe[2420] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FC0F8A
.text C:\WINDOWS\System32\svchost.exe[2420] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FC0075
.text C:\WINDOWS\System32\svchost.exe[2420] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FC0F9B
.text C:\WINDOWS\System32\svchost.exe[2420] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FC0058
.text C:\WINDOWS\System32\svchost.exe[2420] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FC0022
.text C:\WINDOWS\System32\svchost.exe[2420] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FC0F52
.text C:\WINDOWS\System32\svchost.exe[2420] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FC0F6F
.text C:\WINDOWS\System32\svchost.exe[2420] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FC0F30
.text C:\WINDOWS\System32\svchost.exe[2420] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FC00C9
.text C:\WINDOWS\System32\svchost.exe[2420] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FC0F15
.text C:\WINDOWS\System32\svchost.exe[2420] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FC003D
.text C:\WINDOWS\System32\svchost.exe[2420] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FC0000
.text C:\WINDOWS\System32\svchost.exe[2420] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FC009A
.text C:\WINDOWS\System32\svchost.exe[2420] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FC0FC0
.text C:\WINDOWS\System32\svchost.exe[2420] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FC0011
.text C:\WINDOWS\System32\svchost.exe[2420] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FC0F41
.text C:\WINDOWS\System32\svchost.exe[2420] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FB001B
.text C:\WINDOWS\System32\svchost.exe[2420] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FB005B
.text C:\WINDOWS\System32\svchost.exe[2420] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FB0FCA
.text C:\WINDOWS\System32\svchost.exe[2420] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FB0FE5
.text C:\WINDOWS\System32\svchost.exe[2420] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FB0036
.text C:\WINDOWS\System32\svchost.exe[2420] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FB0000
.text C:\WINDOWS\System32\svchost.exe[2420] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FB0F94
.text C:\WINDOWS\System32\svchost.exe[2420] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1B, 89]
.text C:\WINDOWS\System32\svchost.exe[2420] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FB0FAF
.text C:\WINDOWS\System32\svchost.exe[2420] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FA0045
.text C:\WINDOWS\System32\svchost.exe[2420] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FA0FB0
.text C:\WINDOWS\System32\svchost.exe[2420] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FA0FC1
.text C:\WINDOWS\System32\svchost.exe[2420] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FA0FEF
.text C:\WINDOWS\System32\svchost.exe[2420] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FA0016
.text C:\WINDOWS\System32\svchost.exe[2420] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FA0FD2
.text C:\WINDOWS\System32\svchost.exe[2420] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00F90FEF
.text C:\WINDOWS\System32\svchost.exe[2420] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00F90000
.text C:\WINDOWS\System32\svchost.exe[2420] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00F90FCA
.text C:\WINDOWS\System32\svchost.exe[2420] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00F9001B
.text C:\WINDOWS\system32\wuauclt.exe[3008] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009D000A
.text C:\WINDOWS\system32\wuauclt.exe[3008] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009E000A
.text C:\WINDOWS\system32\wuauclt.exe[3008] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 009C000C
.text C:\WINDOWS\system32\wuauclt.exe[3008] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00900F77
.text C:\WINDOWS\system32\wuauclt.exe[3008] msvcrt.dll!system 77C293C7 5 Bytes JMP 0090000C
.text C:\WINDOWS\system32\wuauclt.exe[3008] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00900FC1
.text C:\WINDOWS\system32\wuauclt.exe[3008] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00900FE3
.text C:\WINDOWS\system32\wuauclt.exe[3008] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00900FA6
.text C:\WINDOWS\system32\wuauclt.exe[3008] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00900FD2
.text C:\WINDOWS\system32\wuauclt.exe[3008] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00910FAF
.text C:\WINDOWS\system32\wuauclt.exe[3008] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00910036
.text C:\WINDOWS\system32\wuauclt.exe[3008] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00910FCA
.text C:\WINDOWS\system32\wuauclt.exe[3008] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00910FE5
.text C:\WINDOWS\system32\wuauclt.exe[3008] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00910F79
.text C:\WINDOWS\system32\wuauclt.exe[3008] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00910000
.text C:\WINDOWS\system32\wuauclt.exe[3008] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0091001B
.text C:\WINDOWS\system32\wuauclt.exe[3008] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00910F94
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3568] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0044B8D9 C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Tcp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Udp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\RawIp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat InCDrec.SYS (InCD File System Recognizer/Nero AG)

Device -> \Driver\atapi \Device\Harddisk0\DR0 88ABFCA1

---- Threads - GMER 1.0.15 ----

Thread explorer.exe [2136:1672] 00FA2930

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{406CE662-49A5-A824-9AD16CDB8C980A83}\{51810E7B-CC7B-50CD-91DC82E76A5CA55B}\{3C9B1055-B264-EADB-6986DE03867D1DB4}
Reg HKLM\SOFTWARE\Classes\CLSID\{406CE662-49A5-A824-9AD16CDB8C980A83}\{51810E7B-CC7B-50CD-91DC82E76A5CA55B}\{3C9B1055-B264-EADB-6986DE03867D1DB4}@SE4K5INHHR1EDZYY15BVZC6TKG1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{BF11F383-757D-CF48-6D213AC2BB6130AD}\{12507465-D6D8-AFB1-97ED5D21195D77D5}\{90E47118-DD98-E716-1AABCD138C042D55}
Reg HKLM\SOFTWARE\Classes\CLSID\{BF11F383-757D-CF48-6D213AC2BB6130AD}\{12507465-D6D8-AFB1-97ED5D21195D77D5}\{90E47118-DD98-E716-1AABCD138C042D55}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 0x01 0x00 0x01 0x00 ...


#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:49 AM

Posted 04 April 2010 - 12:41 PM

Hello, DanInDorset
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.





  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.







Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:49 AM

Posted 08 April 2010 - 11:17 AM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users