Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

antivirus xp 2010, xp security 2010 issues


  • This topic is locked This topic is locked
3 replies to this topic

#1 jdynasty

jdynasty

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 04 April 2010 - 12:32 PM

I apologize in advance if I shouldn't post here until I am directed to this forum from the "i am infected forum". However, I see nothing written frowning upon starting in this forum.

I ran into antivirus xp 2010 a few days ago, thought it had been removed using removal guide found on this website. I even did a mcafee and malwarebytes scan this morning to double check and found nothing. Fast forward to this afternoon. I looked over at my desktop and saw 3 or 4 fake security alerts. Thus it is back.

In addition to this, at startup i've occassionally been getting "checking file system on C: type of file system is FAT32". This drive check is done with a light blue background. Takes 3-5 minutes, and then takes me to windows.


I was able to put malwarebytes and fixexe onto a flash drive and get them to run on the infected computer(per bleeping computer removal guide instructions). Malwarebytes found 5 "items" infected.

This is my parents computer and I would really like to get it fixed before i leave monday morning. I know that is basically impossible due to the amount of people you help here. However, if there is anyway I can at least get the ball rolling I would appreciate any assistance you can give at your earliest convenience.

Thanks for your help and future advice.

DDS logs followed by gmer.log:


DDS (Ver_10-03-17.01) - FAT32x86
Run by BV at 10:47:26.31 on Sun 04/04/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.120 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\BV\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://att.yahoo.com/
uWindow Title = Microsoft Internet Explorer presented by Comcast
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mWindow Title = Microsoft Internet Explorer presented by Comcast
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {2cb9ec7a-271a-4e57-9528-c47b5cafcbe1} - lugapeda.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [RetroExpress] c:\progra~1\dantz\retros~1\RetroExpress.exe /h
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [MXOBG] c:\windows\MXOALDR.EXE
mRun: [MaxtorOneTouch] c:\program files\maxtor\onetouch\utils\Onetouch.exe
mRun: [Camera Detector] c:\progra~1\acdsys~1\devdet~1\DEVDET~1.EXE -autorun
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sbcsel~1.lnk - c:\program files\sbc self support tool\bin\matcli.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - file://c:\tempei4\ei40_\msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38138.4846064815
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
AppInit_DLLs: lumunido.dll
LSA: Notification Packages = scecli lumunido.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bv\applic~1\mozilla\firefox\profiles\o942jaf4.default\
FF - prefs.js: browser.startup.homepage - file:///C:/Documents%20and%20Settings/BV/Application%20Data/Mozilla/Firefox/Profiles/o942jaf4.default/bookmarks.html
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-9-16 214664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-10-25 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-10-25 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-10-25 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-10-25 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-10-25 35272]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S3 Acsysin5rs;Acsysin5rs; [x]
S3 Atapkflhport;Atapkflhport; [x]
S3 Hidseomr;Hidseomr;c:\windows\system32\drivers\WmHidLo.sys [2005-1-14 14432]
S3 Hpnfwmp5;Hpnfwmp5; [x]
S3 Iiaidisn;Iiaidisn; [x]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-10-25 606736]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-10-25 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-10-25 40552]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 Usbtnapa;Usbtnapa; [x]

=============== Created Last 30 ================

2010-03-23 12:17:06 0 d-----w- c:\program files\common files\xing shared
2010-03-10 15:10:03 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-03-30 04:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 12:16:28 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-03-31 20:54:46 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009033120090401\index.dat

============= FINISH: 10:49:50.06 ===============



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-04 13:01:47
Windows 5.1.2600 Service Pack 3
Running: rywbpwml.exe; Driver: C:\DOCUME~1\BV\LOCALS~1\Temp\ufldapob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF68E678A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xF68E6821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF68E6738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF68E674C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF68E6835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF68E6861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF68E68CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF68E68B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF68E67CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF68E68FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF68E680D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF68E6710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF68E6724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF68E679E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xF68E6937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF68E68A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF68E688D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF68E684B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xF68E6923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xF68E690F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF68E6776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF68E6762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xF68E6877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF68E67F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xF68E68E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF68E67E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF68E67B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- User code sections - GMER 1.0.15 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[252] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[252] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[896] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[896] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0007004D
.text C:\WINDOWS\system32\services.exe[896] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F62
.text C:\WINDOWS\system32\services.exe[896] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070F7F
.text C:\WINDOWS\system32\services.exe[896] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070F90
.text C:\WINDOWS\system32\services.exe[896] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070FA1
.text C:\WINDOWS\system32\services.exe[896] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F31
.text C:\WINDOWS\system32\services.exe[896] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070079
.text C:\WINDOWS\system32\services.exe[896] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700CA
.text C:\WINDOWS\system32\services.exe[896] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000700B9
.text C:\WINDOWS\system32\services.exe[896] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000700E5
.text C:\WINDOWS\system32\services.exe[896] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070032
.text C:\WINDOWS\system32\services.exe[896] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[896] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0007005E
.text C:\WINDOWS\system32\services.exe[896] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070FB2
.text C:\WINDOWS\system32\services.exe[896] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070FC3
.text C:\WINDOWS\system32\services.exe[896] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0007009E
.text C:\WINDOWS\system32\services.exe[896] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060FB9
.text C:\WINDOWS\system32\services.exe[896] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060F8D
.text C:\WINDOWS\system32\services.exe[896] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0006000A
.text C:\WINDOWS\system32\services.exe[896] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FDE
.text C:\WINDOWS\system32\services.exe[896] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0006004A
.text C:\WINDOWS\system32\services.exe[896] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[896] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00060F9E
.text C:\WINDOWS\system32\services.exe[896] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [26, 88]
.text C:\WINDOWS\system32\services.exe[896] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060025
.text C:\WINDOWS\system32\services.exe[896] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0005001B
.text C:\WINDOWS\system32\services.exe[896] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050F9A
.text C:\WINDOWS\system32\services.exe[896] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FAB
.text C:\WINDOWS\system32\services.exe[896] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[896] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0005000A
.text C:\WINDOWS\system32\services.exe[896] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050FD2
.text C:\WINDOWS\system32\services.exe[896] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C90000
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C900A4
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C90FAF
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C9007D
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C90FCA
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C90051
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C900DC
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C90F94
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C90108
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C90F79
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C90119
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C90062
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C90011
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C900B5
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C90036
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C90FDB
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C900ED
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C80FAF
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C80F57
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C8000A
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C80FD4
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C80F68
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C80F79
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes CALL C89FEDE5
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C80F9E
.text C:\WINDOWS\system32\lsass.exe[932] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C70F81
.text C:\WINDOWS\system32\lsass.exe[932] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C70F9C
.text C:\WINDOWS\system32\lsass.exe[932] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C70FD2
.text C:\WINDOWS\system32\lsass.exe[932] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\system32\lsass.exe[932] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C70FB7
.text C:\WINDOWS\system32\lsass.exe[932] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C7000C
.text C:\WINDOWS\system32\lsass.exe[932] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D50FEF
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D50078
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D5005D
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D5004C
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D50F83
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D50025
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D50F3C
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D50F4D
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D500CB
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D500BA
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D50F17
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D50F94
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D50FD4
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D50F68
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D50014
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D50FC3
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D5009F
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D40047
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D40FB6
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D40036
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D40025
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D4007D
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D40000
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D40058
.text C:\WINDOWS\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D40FD1
.text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D30F9C
.text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D3001D
.text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D30FC8
.text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D30000
.text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D30FB7
.text C:\WINDOWS\system32\svchost.exe[1072] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D30FE3
.text C:\WINDOWS\system32\svchost.exe[1072] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C80FE5
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C80F3C
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C80031
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C80F57
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C80F68
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C80F8D
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C8005D
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C8004C
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C8008C
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C80EF3
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C800B1
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C80014
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C80FD4
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C80F21
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C80FA8
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C80FB9
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C80F04
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C70014
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C70054
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C70FC3
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C70FDE
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C70F97
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C70FA8
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E7, 88] {OUT 0x88, EAX}
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C7002F
.text C:\WINDOWS\system32\svchost.exe[1152] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C6004B
.text C:\WINDOWS\system32\svchost.exe[1152] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C6003A
.text C:\WINDOWS\system32\svchost.exe[1152] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C60FD4
.text C:\WINDOWS\system32\svchost.exe[1152] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\svchost.exe[1152] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C60029
.text C:\WINDOWS\system32\svchost.exe[1152] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C6000C
.text C:\WINDOWS\system32\svchost.exe[1152] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C50000
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 020D0000
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 020D0F5C
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 020D005B
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 020D0F77
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 020D0F94
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 020D0FB9
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 020D0087
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 020D0076
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 020D00BD
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 020D00AC
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 020D00D8
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 020D0036
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 020D0FE5
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreatePipe 7C81D83F 3 Bytes JMP 020D0F4B
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreatePipe + 4 7C81D843 1 Byte [85]
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 020D0025
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 020D0FCA
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 020D0F2E
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01FC0FC3
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01FC0F79
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01FC0FD4
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01FC0FE5
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01FC0040
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01FC0000
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01FC002F
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01FC0FB2
.text C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01F5004C
.text C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!system 77C293C7 5 Bytes JMP 01F50FC1
.text C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01F50FD2
.text C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01F50000
.text C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01F50027
.text C:\WINDOWS\System32\svchost.exe[1200] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01F50FE3
.text C:\WINDOWS\System32\svchost.exe[1200] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01F40FE5
.text C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01F30000
.text C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01F30FE5
.text C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01F30FD4
.text C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01F30FB9
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007B0FEF
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007B008E
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007B007D
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007B0062
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007B0051
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007B002F
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007B00CB
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007B00B0
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007B0F4D
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007B0F5E
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007B0101
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007B0040
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007B0FDE
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007B009F
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007B001E
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007B0FCD
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007B00DC
.text C:\WINDOWS\System32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007A0FBC
.text C:\WINDOWS\System32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007A0F89
.text C:\WINDOWS\System32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007A0FCD
.text C:\WINDOWS\System32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007A0FDE
.text C:\WINDOWS\System32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007A0F9A
.text C:\WINDOWS\System32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007A0FEF
.text C:\WINDOWS\System32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 007A0FAB
.text C:\WINDOWS\System32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9A, 88]
.text C:\WINDOWS\System32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007A0028
.text C:\WINDOWS\System32\svchost.exe[1252] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00790FCF
.text C:\WINDOWS\System32\svchost.exe[1252] msvcrt.dll!system 77C293C7 5 Bytes JMP 0079005A
.text C:\WINDOWS\System32\svchost.exe[1252] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0079002E
.text C:\WINDOWS\System32\svchost.exe[1252] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00790000
.text C:\WINDOWS\System32\svchost.exe[1252] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00790049
.text C:\WINDOWS\System32\svchost.exe[1252] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00790011
.text C:\WINDOWS\System32\svchost.exe[1252] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00780FE5
.text C:\WINDOWS\System32\svchost.exe[1364] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A00FEF
.text C:\WINDOWS\System32\svchost.exe[1364] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A0006C
.text C:\WINDOWS\System32\svchost.exe[1364] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A00F77
.text C:\WINDOWS\System32\svchost.exe[1364] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A0005B
.text C:\WINDOWS\System32\svchost.exe[1364] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A0004A
.text C:\WINDOWS\System32\svchost.exe[1364] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A00FA8
.text C:\WINDOWS\System32\svchost.exe[1364] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A0009D
.text C:\WINDOWS\System32\svchost.exe[1364] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A00F55
.text C:\WINDOWS\System32\svchost.exe[1364] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A000B8
.text C:\WINDOWS\System32\svchost.exe[1364] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A00F1F
.text C:\WINDOWS\System32\svchost.exe[1364] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A00EFA
.text C:\WINDOWS\System32\svchost.exe[1364] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A00039
.text C:\WINDOWS\System32\svchost.exe[1364] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A00FDE
.text C:\WINDOWS\System32\svchost.exe[1364] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A00F66
.text C:\WINDOWS\System32\svchost.exe[1364] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A00014
.text C:\WINDOWS\System32\svchost.exe[1364] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A00FCD
.text C:\WINDOWS\System32\svchost.exe[1364] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A00F30
.text C:\WINDOWS\System32\svchost.exe[1364] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009F0FA8
.text C:\WINDOWS\System32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009F0F7C
.text C:\WINDOWS\System32\svchost.exe[1364] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009F0FB9
.text C:\WINDOWS\System32\svchost.exe[1364] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009F0FD4
.text C:\WINDOWS\System32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009F0039
.text C:\WINDOWS\System32\svchost.exe[1364] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009F0FEF
.text C:\WINDOWS\System32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009F0F8D
.text C:\WINDOWS\System32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BF, 88]
.text C:\WINDOWS\System32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009F0014
.text C:\WINDOWS\System32\svchost.exe[1364] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009E0F81
.text C:\WINDOWS\System32\svchost.exe[1364] msvcrt.dll!system 77C293C7 5 Bytes JMP 009E0016
.text C:\WINDOWS\System32\svchost.exe[1364] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009E0FC1
.text C:\WINDOWS\System32\svchost.exe[1364] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009E0FEF
.text C:\WINDOWS\System32\svchost.exe[1364] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009E0FB0
.text C:\WINDOWS\System32\svchost.exe[1364] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009E0FD2
.text C:\WINDOWS\System32\svchost.exe[1364] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009D0FEF
.text C:\WINDOWS\System32\svchost.exe[1628] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\System32\svchost.exe[1628] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0F70
.text C:\WINDOWS\System32\svchost.exe[1628] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0065
.text C:\WINDOWS\System32\svchost.exe[1628] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE004A
.text C:\WINDOWS\System32\svchost.exe[1628] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0F8D
.text C:\WINDOWS\System32\svchost.exe[1628] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0FA8
.text C:\WINDOWS\System32\svchost.exe[1628] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE0076
.text C:\WINDOWS\System32\svchost.exe[1628] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0F3A
.text C:\WINDOWS\System32\svchost.exe[1628] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE0EF8
.text C:\WINDOWS\System32\svchost.exe[1628] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE0F09
.text C:\WINDOWS\System32\svchost.exe[1628] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE0EE7
.text C:\WINDOWS\System32\svchost.exe[1628] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE002F
.text C:\WINDOWS\System32\svchost.exe[1628] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0FD4
.text C:\WINDOWS\System32\svchost.exe[1628] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0F55
.text C:\WINDOWS\System32\svchost.exe[1628] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0FC3
.text C:\WINDOWS\System32\svchost.exe[1628] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0014
.text C:\WINDOWS\System32\svchost.exe[1628] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE0091
.text C:\WINDOWS\System32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930F9E
.text C:\WINDOWS\System32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930036
.text C:\WINDOWS\System32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930FB9
.text C:\WINDOWS\System32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930FCA
.text C:\WINDOWS\System32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930F79
.text C:\WINDOWS\System32\svchost.exe[1628] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FE5
.text C:\WINDOWS\System32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00930025
.text C:\WINDOWS\System32\svchost.exe[1628] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0093000A
.text C:\WINDOWS\System32\svchost.exe[1628] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920FAD
.text C:\WINDOWS\System32\svchost.exe[1628] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920038
.text C:\WINDOWS\System32\svchost.exe[1628] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0092001D
.text C:\WINDOWS\System32\svchost.exe[1628] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920FEF
.text C:\WINDOWS\System32\svchost.exe[1628] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FC8
.text C:\WINDOWS\System32\svchost.exe[1628] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0092000C
.text C:\WINDOWS\System32\svchost.exe[1628] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00900000
.text C:\WINDOWS\System32\svchost.exe[1628] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0090001B
.text C:\WINDOWS\System32\svchost.exe[1628] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00900FEF
.text C:\WINDOWS\System32\svchost.exe[1628] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00900FDE
.text C:\WINDOWS\System32\svchost.exe[1628] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0091000A
.text C:\WINDOWS\Explorer.EXE[1832] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01620000
.text C:\WINDOWS\Explorer.EXE[1832] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01620F4B
.text C:\WINDOWS\Explorer.EXE[1832] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01620F66
.text C:\WINDOWS\Explorer.EXE[1832] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01620F83
.text C:\WINDOWS\Explorer.EXE[1832] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01620040
.text C:\WINDOWS\Explorer.EXE[1832] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01620F9E
.text C:\WINDOWS\Explorer.EXE[1832] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01620F04
.text C:\WINDOWS\Explorer.EXE[1832] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01620F1F
.text C:\WINDOWS\Explorer.EXE[1832] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01620ECE
.text C:\WINDOWS\Explorer.EXE[1832] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01620EF3
.text C:\WINDOWS\Explorer.EXE[1832] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01620082
.text C:\WINDOWS\Explorer.EXE[1832] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01620025
.text C:\WINDOWS\Explorer.EXE[1832] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01620FE5
.text C:\WINDOWS\Explorer.EXE[1832] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01620F30
.text C:\WINDOWS\Explorer.EXE[1832] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01620FAF
.text C:\WINDOWS\Explorer.EXE[1832] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01620FC0
.text C:\WINDOWS\Explorer.EXE[1832] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01620067
.text C:\WINDOWS\Explorer.EXE[1832] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01610FD4
.text C:\WINDOWS\Explorer.EXE[1832] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0161006C
.text C:\WINDOWS\Explorer.EXE[1832] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0161001B
.text C:\WINDOWS\Explorer.EXE[1832] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0161000A
.text C:\WINDOWS\Explorer.EXE[1832] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0161005B
.text C:\WINDOWS\Explorer.EXE[1832] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01610FEF
.text C:\WINDOWS\Explorer.EXE[1832] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01610FAF
.text C:\WINDOWS\Explorer.EXE[1832] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [81, 89]
.text C:\WINDOWS\Explorer.EXE[1832] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01610040
.text C:\WINDOWS\Explorer.EXE[1832] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01600FBE
.text C:\WINDOWS\Explorer.EXE[1832] msvcrt.dll!system 77C293C7 5 Bytes JMP 01600049
.text C:\WINDOWS\Explorer.EXE[1832] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0160002E
.text C:\WINDOWS\Explorer.EXE[1832] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01600000
.text C:\WINDOWS\Explorer.EXE[1832] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01600FE3
.text C:\WINDOWS\Explorer.EXE[1832] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0160001D
.text C:\WINDOWS\Explorer.EXE[1832] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00CC0FEF
.text C:\WINDOWS\Explorer.EXE[1832] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00CC0014
.text C:\WINDOWS\Explorer.EXE[1832] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00CC0FD4
.text C:\WINDOWS\Explorer.EXE[1832] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00CC0025
.text C:\WINDOWS\Explorer.EXE[1832] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\System32\svchost.exe[2324] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DB0FE5
.text C:\WINDOWS\System32\svchost.exe[2324] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DB0078
.text C:\WINDOWS\System32\svchost.exe[2324] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DB0F83
.text C:\WINDOWS\System32\svchost.exe[2324] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DB0067
.text C:\WINDOWS\System32\svchost.exe[2324] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DB0FA8
.text C:\WINDOWS\System32\svchost.exe[2324] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DB0036
.text C:\WINDOWS\System32\svchost.exe[2324] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DB00BA
.text C:\WINDOWS\System32\svchost.exe[2324] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DB0F68
.text C:\WINDOWS\System32\svchost.exe[2324] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DB00F0
.text C:\WINDOWS\System32\svchost.exe[2324] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DB00D5
.text C:\WINDOWS\System32\svchost.exe[2324] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DB010B
.text C:\WINDOWS\System32\svchost.exe[2324] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DB0FB9
.text C:\WINDOWS\System32\svchost.exe[2324] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DB0000
.text C:\WINDOWS\System32\svchost.exe[2324] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DB0093
.text C:\WINDOWS\System32\svchost.exe[2324] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DB0FCA
.text C:\WINDOWS\System32\svchost.exe[2324] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DB0011
.text C:\WINDOWS\System32\svchost.exe[2324] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DB0F57
.text C:\WINDOWS\System32\svchost.exe[2324] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DA002C
.text C:\WINDOWS\System32\svchost.exe[2324] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DA0FA2
.text C:\WINDOWS\System32\svchost.exe[2324] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DA001B
.text C:\WINDOWS\System32\svchost.exe[2324] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DA0FE5
.text C:\WINDOWS\System32\svchost.exe[2324] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DA005F
.text C:\WINDOWS\System32\svchost.exe[2324] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DA0000
.text C:\WINDOWS\System32\svchost.exe[2324] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00DA004E
.text C:\WINDOWS\System32\svchost.exe[2324] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DA003D
.text C:\WINDOWS\System32\svchost.exe[2324] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D90095
.text C:\WINDOWS\System32\svchost.exe[2324] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D9007A
.text C:\WINDOWS\System32\svchost.exe[2324] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D9003A
.text C:\WINDOWS\System32\svchost.exe[2324] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D90000
.text C:\WINDOWS\System32\svchost.exe[2324] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D9005F
.text C:\WINDOWS\System32\svchost.exe[2324] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D90029
.text C:\Program Files\Messenger\msmsgs.exe[2408] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01220000
.text C:\Program Files\Messenger\msmsgs.exe[2408] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01220F94
.text C:\Program Files\Messenger\msmsgs.exe[2408] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01220089
.text C:\Program Files\Messenger\msmsgs.exe[2408] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0122006C
.text C:\Program Files\Messenger\msmsgs.exe[2408] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0122005B
.text C:\Program Files\Messenger\msmsgs.exe[2408] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01220FD4
.text C:\Program Files\Messenger\msmsgs.exe[2408] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01220F5C
.text C:\Program Files\Messenger\msmsgs.exe[2408] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01220F79
.text C:\Program Files\Messenger\msmsgs.exe[2408] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01220F37
.text C:\Program Files\Messenger\msmsgs.exe[2408] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 012200C6
.text C:\Program Files\Messenger\msmsgs.exe[2408] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 012200EB
.text C:\Program Files\Messenger\msmsgs.exe[2408] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01220FC3
.text C:\Program Files\Messenger\msmsgs.exe[2408] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0122001B
.text C:\Program Files\Messenger\msmsgs.exe[2408] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 012200A4
.text C:\Program Files\Messenger\msmsgs.exe[2408] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01220036
.text C:\Program Files\Messenger\msmsgs.exe[2408] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01220FE5
.text C:\Program Files\Messenger\msmsgs.exe[2408] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 012200B5
.text C:\Program Files\Messenger\msmsgs.exe[2408] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01200047
.text C:\Program Files\Messenger\msmsgs.exe[2408] msvcrt.dll!system 77C293C7 5 Bytes JMP 01200FC6
.text C:\Program Files\Messenger\msmsgs.exe[2408] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0120002C
.text C:\Program Files\Messenger\msmsgs.exe[2408] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01200000
.text C:\Program Files\Messenger\msmsgs.exe[2408] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01200FD7
.text C:\Program Files\Messenger\msmsgs.exe[2408] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01200011
.text C:\Program Files\Messenger\msmsgs.exe[2408] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0121001B
.text C:\Program Files\Messenger\msmsgs.exe[2408] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0121006C
.text C:\Program Files\Messenger\msmsgs.exe[2408] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0121000A
.text C:\Program Files\Messenger\msmsgs.exe[2408] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01210FD4
.text C:\Program Files\Messenger\msmsgs.exe[2408] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01210051
.text C:\Program Files\Messenger\msmsgs.exe[2408] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01210FEF
.text C:\Program Files\Messenger\msmsgs.exe[2408] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01210036
.text C:\Program Files\Messenger\msmsgs.exe[2408] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01210FAF
.text C:\Program Files\Messenger\msmsgs.exe[2408] WS2_32.dll!socket 71AB4211 5 Bytes JMP 011F0FEF
.text C:\Program Files\Messenger\msmsgs.exe[2408] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FF0000
.text C:\Program Files\Messenger\msmsgs.exe[2408] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FF0FE5
.text C:\Program Files\Messenger\msmsgs.exe[2408] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FF0011
.text C:\Program Files\Messenger\msmsgs.exe[2408] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FF0FB6

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version
Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version@Version 0x94 0x67 0x2B 0x80 ...

---- EOF - GMER 1.0.15 ----


BC AdBot (Login to Remove)

 


#2 jdynasty

jdynasty
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 04 April 2010 - 12:37 PM

here are my most recent m-bytes logs: (most recent first)

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3951

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/3/2010 6:58:56 PM
mbam-log-2010-04-03 (18-58-56).txt

Scan type: Full scan (A:\|C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|)
Objects scanned: 188559
Time elapsed: 52 minute(s), 51 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
C:\Documents and Settings\LocalService\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\BV\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\BV\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\BV\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\LocalService\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.



NOTE BETWEEN THESE TWO SCANS I DID 3 OTHER M-BYTE FULL SCANS THAT CAME UP CLEAN


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3951

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/3/2010 6:58:56 PM
mbam-log-2010-04-03 (18-58-56).txt

Scan type: Full scan (A:\|C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|)
Objects scanned: 188559
Time elapsed: 52 minute(s), 51 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
C:\Documents and Settings\LocalService\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\BV\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\BV\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\BV\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\LocalService\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.


#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:50 AM

Posted 08 April 2010 - 11:30 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:50 AM

Posted 12 April 2010 - 11:17 PM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users